[gnome-continuous-yocto/gnomeostree-3.28-rocko: 3323/8267] cve-check.bbclass: CVE-2014-2524 / readline v5.2

From: Emmanuele Bassi <ebassi src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-continuous-yocto/gnomeostree-3.28-rocko: 3323/8267] cve-check.bbclass: CVE-2014-2524 / readline v5.2
Date: Sun, 17 Dec 2017 00:28:19 +0000 (UTC)

commit fe5c48dddf4bf6555be701bf38c316718b1c1794
Author: André Draszik <adraszik tycoint com>
Date:   Fri Nov 4 11:06:31 2016 +0000

    cve-check.bbclass: CVE-2014-2524 / readline v5.2
    
    Contrary to the CVE report, the vulnerable trace functions
    don't exist in readline v5.2 (which we keep for GPLv2+
    purposes), they were added in readline v6.0 only - let's
    whitelist that CVE in order to avoid false positives.
    
    See also the discussion in
     https://patchwork.openembedded.org/patch/81765/
    
    (From OE-Core rev: b881a288eec598002685f68da80a24e0478fa496)
    
    Signed-off-by: André Draszik <adraszik tycoint com>
    Reviewed-by: Lukasz Nowak <lnowak tycoint com>
    Signed-off-by: Ross Burton <ross burton intel com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 meta/classes/cve-check.bbclass |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 1425a40..b0febfb 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -39,7 +39,7 @@ CVE_CHECK_PN_WHITELIST = "\
 
 # Whitelist for CVE and version of package
 CVE_CHECK_CVE_WHITELIST = "{\
-    'CVE-2014-2524': ('6.3',), \
+    'CVE-2014-2524': ('6.3','5.2',), \
 }"
 
 python do_cve_check () {

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]