On 04/11/2019 14:01, Adrian Bunk wrote:
On Mon, Nov 04, 2019 at 12:42:51PM +0000, Ross Burton wrote:
This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng
recipe.
Signed-off-by: Ross Burton <[email protected]>
---
meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
index 66af2f3d60e..07970e14360 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
@@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools"
FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
BBCLASSEXTEND = "native nativesdk"
+
+# CVE-2019-17371 is actually a memory leak in gif2png 2.x
+CVE_CHECK_WHITELIST = "CVE-2019-17371"
These should use += to not overwrite whitelists defined by
the distribution or the user.
IMHO, the distribution or user should be using _append. The whitelist
should be explicitly per-recipe: there's a CVE which is tagged
incorrectly as being in openssl *and* mod_ssl, we don't want to
whitelist it globally but only in openssl.
V2 incoming, just to be safe, though.
Ross
--
_______________________________________________
Openembedded-core mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-core
