* [PATCH] libyaml: Amend CVE status as 'upstream-wontfix'
@ 2024-08-01 10:17 niko.mauno
2024-08-02 14:25 ` Guðni Már Gilbert
0 siblings, 1 reply; 3+ messages in thread
From: niko.mauno @ 2024-08-01 10:17 UTC (permalink / raw)
To: openembedded-core; +Cc: Niko Mauno
From: Niko Mauno <niko.mauno@vaisala.com>
Use an existing defined CVE_CHECK_STATUSMAP key in
meta/lib/oe/cve_check.py in order to avoid following complaint from
BitBake:
WARNING: libyaml-native-0.2.5-r0 do_create_spdx: Invalid detail "wontfix" for CVE_STATUS[CVE-2024-35328] = "wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302", fallback to Unpatched
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
---
meta/recipes-support/libyaml/libyaml_0.2.5.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-support/libyaml/libyaml_0.2.5.bb b/meta/recipes-support/libyaml/libyaml_0.2.5.bb
index 2154910d0c..1c6a5fcb45 100644
--- a/meta/recipes-support/libyaml/libyaml_0.2.5.bb
+++ b/meta/recipes-support/libyaml/libyaml_0.2.5.bb
@@ -18,6 +18,6 @@ inherit autotools
DISABLE_STATIC:class-nativesdk = ""
DISABLE_STATIC:class-native = ""
-CVE_STATUS[CVE-2024-35328] = "wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302"
+CVE_STATUS[CVE-2024-35328] = "upstream-wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302"
BBCLASSEXTEND = "native nativesdk"
--
2.39.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] libyaml: Amend CVE status as 'upstream-wontfix'
2024-08-01 10:17 [PATCH] libyaml: Amend CVE status as 'upstream-wontfix' niko.mauno
@ 2024-08-02 14:25 ` Guðni Már Gilbert
2024-08-03 10:55 ` [OE-core] " Niko Mauno
0 siblings, 1 reply; 3+ messages in thread
From: Guðni Már Gilbert @ 2024-08-02 14:25 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 372 bytes --]
I wonder if it would be good to backport this to Scarthgap. I'm getting the following warning for unpatched CVE on latest scarthgap:
WARNING: libyaml-0.2.5-r0 do_cve_check: Found unpatched CVE (CVE-2024-35328), for more information check /home/builder/yocto/build/tmp/work/cortexa9t2hf-neon-tdx-linux-gnueabi/libyaml/0.2.5/temp/cve.log
Would this patch silence it?
[-- Attachment #2: Type: text/html, Size: 439 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] [PATCH] libyaml: Amend CVE status as 'upstream-wontfix'
2024-08-02 14:25 ` Guðni Már Gilbert
@ 2024-08-03 10:55 ` Niko Mauno
0 siblings, 0 replies; 3+ messages in thread
From: Niko Mauno @ 2024-08-03 10:55 UTC (permalink / raw)
To: openembedded-core
On 8/2/24 17:25, Guðni Már Gilbert wrote:
> I wonder if it would be good to backport this to Scarthgap. I'm getting
> the following warning for unpatched CVE on latest scarthgap:
> WARNING: libyaml-0.2.5-r0 do_cve_check: Found unpatched CVE
> (CVE-2024-35328), for more information check
> /home/builder/yocto/build/tmp/work/cortexa9t2hf-neon-tdx-linux-gnueabi/libyaml/0.2.5/temp/cve.log
> Would this patch silence it?
>
Thanks, I've submitted
https://lists.openembedded.org/g/openembedded-core/message/202933 which
should fix the issue if it gets incorporated.
-Niko
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-08-03 10:56 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-01 10:17 [PATCH] libyaml: Amend CVE status as 'upstream-wontfix' niko.mauno
2024-08-02 14:25 ` Guðni Már Gilbert
2024-08-03 10:55 ` [OE-core] " Niko Mauno
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox