[PATCH] libyaml: Update status of CVE-2024-35328

[PATCH] libyaml: Update status of CVE-2024-35328

[Khem Raj]

This is open yet but seems to be disputed

Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 meta/recipes-support/libyaml/libyaml_0.2.5.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-support/libyaml/libyaml_0.2.5.bb b/meta/recipes-support/libyaml/libyaml_0.2.5.bb
index 4cb5717ece8..2d6f27af1fc 100644
--- a/meta/recipes-support/libyaml/libyaml_0.2.5.bb
+++ b/meta/recipes-support/libyaml/libyaml_0.2.5.bb
@@ -18,4 +18,6 @@ inherit autotools
 DISABLE_STATIC:class-nativesdk = ""
 DISABLE_STATIC:class-native = ""
 
+CVE_STATUS[CVE-2024-35328] = "disputed: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302"
+
 BBCLASSEXTEND = "native nativesdk"

Re: [OE-core] [PATCH] libyaml: Update status of CVE-2024-35328

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 1068 bytes --]

On Sun, Jul 28, 2024 at 4:49 PM Khem Raj via lists.openembedded.org
<raj.khem=gmail.com@lists.openembedded.org> wrote:

> This is open yet but seems to be disputed
>
> Signed-off-by: Khem Raj <raj.khem@gmail.com>
> ---
>  meta/recipes-support/libyaml/libyaml_0.2.5.bb | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/meta/recipes-support/libyaml/libyaml_0.2.5.bb
> b/meta/recipes-support/libyaml/libyaml_0.2.5.bb
> index 4cb5717ece8..2d6f27af1fc 100644
> --- a/meta/recipes-support/libyaml/libyaml_0.2.5.bb
> +++ b/meta/recipes-support/libyaml/libyaml_0.2.5.bb
> @@ -18,4 +18,6 @@ inherit autotools
>  DISABLE_STATIC:class-nativesdk = ""
>  DISABLE_STATIC:class-native = ""
>
> +CVE_STATUS[CVE-2024-35328] = "disputed: Upstream thinks there is no
> working code that is exploitable -
> https://github.com/yaml/libyaml/issues/302"
> +
>  BBCLASSEXTEND = "native nativesdk"
>
> Khem, formally this one isn't "disputed". "disputed" is a formal CVE
programme tag, which isn't there for CVE-2024-35328 as of today.

Regards,
Marta

[-- Attachment #2: Type: text/html, Size: 2085 bytes --]

Re: [OE-core] [PATCH] libyaml: Update status of CVE-2024-35328

[Khem Raj]

[-- Attachment #1: Type: text/plain, Size: 1257 bytes --]

On Wed, Jul 31, 2024 at 1:47 AM Marta Rybczynska <rybczynska@gmail.com>
wrote:

>
>
> On Sun, Jul 28, 2024 at 4:49 PM Khem Raj via lists.openembedded.org
> <raj.khem=gmail.com@lists.openembedded.org> wrote:
>
>> This is open yet but seems to be disputed
>>
>> Signed-off-by: Khem Raj <raj.khem@gmail.com>
>> ---
>>  meta/recipes-support/libyaml/libyaml_0.2.5.bb | 2 ++
>>  1 file changed, 2 insertions(+)
>>
>> diff --git a/meta/recipes-support/libyaml/libyaml_0.2.5.bb
>> b/meta/recipes-support/libyaml/libyaml_0.2.5.bb
>> index 4cb5717ece8..2d6f27af1fc 100644
>> --- a/meta/recipes-support/libyaml/libyaml_0.2.5.bb
>> +++ b/meta/recipes-support/libyaml/libyaml_0.2.5.bb
>> @@ -18,4 +18,6 @@ inherit autotools
>>  DISABLE_STATIC:class-nativesdk = ""
>>  DISABLE_STATIC:class-native = ""
>>
>> +CVE_STATUS[CVE-2024-35328] = "disputed: Upstream thinks there is no
>> working code that is exploitable -
>> https://github.com/yaml/libyaml/issues/302"
>> +
>>  BBCLASSEXTEND = "native nativesdk"
>>
>> Khem, formally this one isn't "disputed". "disputed" is a formal CVE
> programme tag, which isn't there for CVE-2024-35328 as of today.
>

Fair enough. We shall change it. Is ignored ok ?

>
>
> Regards,
> Marta
>

[-- Attachment #2: Type: text/html, Size: 2856 bytes --]

Re: [OE-core] [PATCH] libyaml: Update status of CVE-2024-35328

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 1546 bytes --]

On Wed, Jul 31, 2024 at 4:35 PM Khem Raj <raj.khem@gmail.com> wrote:

>
>
> On Wed, Jul 31, 2024 at 1:47 AM Marta Rybczynska <rybczynska@gmail.com>
> wrote:
>
>>
>>
>> On Sun, Jul 28, 2024 at 4:49 PM Khem Raj via lists.openembedded.org
>> <raj.khem=gmail.com@lists.openembedded.org> wrote:
>>
>>> This is open yet but seems to be disputed
>>>
>>> Signed-off-by: Khem Raj <raj.khem@gmail.com>
>>> ---
>>>  meta/recipes-support/libyaml/libyaml_0.2.5.bb | 2 ++
>>>  1 file changed, 2 insertions(+)
>>>
>>> diff --git a/meta/recipes-support/libyaml/libyaml_0.2.5.bb
>>> b/meta/recipes-support/libyaml/libyaml_0.2.5.bb
>>> index 4cb5717ece8..2d6f27af1fc 100644
>>> --- a/meta/recipes-support/libyaml/libyaml_0.2.5.bb
>>> +++ b/meta/recipes-support/libyaml/libyaml_0.2.5.bb
>>> @@ -18,4 +18,6 @@ inherit autotools
>>>  DISABLE_STATIC:class-nativesdk = ""
>>>  DISABLE_STATIC:class-native = ""
>>>
>>> +CVE_STATUS[CVE-2024-35328] = "disputed: Upstream thinks there is no
>>> working code that is exploitable -
>>> https://github.com/yaml/libyaml/issues/302"
>>> +
>>>  BBCLASSEXTEND = "native nativesdk"
>>>
>>> Khem, formally this one isn't "disputed". "disputed" is a formal CVE
>> programme tag, which isn't there for CVE-2024-35328 as of today.
>>
>
> Fair enough. We shall change it. Is ignored ok ?
>

Wontfix will do for now. If the libyaml team has asked for a refusal and it
will be granted, they might be even removed. But this is a direct MITRE
filling, so will take time.

Regards,
Marta

[-- Attachment #2: Type: text/html, Size: 3272 bytes --]