On Fri, Jan 15, 2021 at 11:23:39AM +0000, Richard Purdie wrote: > On Fri, 2021-01-15 at 12:47 +0200, Mikko Rapeli wrote: > > It affects only cairo embedded into Firefox. > > > > https://security-tracker.debian.org/tracker/CVE-2013-0800 > > > > "The description is misleading: Firefox embeds a copy of Cairo, the > > interdiff > > shows the respective change at > > mozilla-esr17/gfx/cairo/cairo/src/cairo-image-surface.c > > Apparently the forked copy has changed, the code isn't present in vanilla > > Cairo" > > > > Signed-off-by: Mikko Rapeli <[email protected]> > > --- > > meta/recipes-graphics/cairo/cairo_1.16.0.bb | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/meta/recipes-graphics/cairo/cairo_1.16.0.bb > > b/meta/recipes-graphics/cairo/cairo_1.16.0.bb > > index 8663dec404..29088ab0d6 100644 > > --- a/meta/recipes-graphics/cairo/cairo_1.16.0.bb > > +++ b/meta/recipes-graphics/cairo/cairo_1.16.0.bb > > @@ -29,6 +29,9 @@ SRC_URI = > > "http://cairographics.org/releases/cairo-${PV}.tar.xz \ > > file://CVE-2019-6462.patch \ > > " > > > > > > > > > > +# Affects only embedded cairo in Firefox > > +CVE_CHECK_WHITELIST += "CVE-2013-0800" > > + > > That sounds a lot like we should send a CPE change upstream to classify > it as firefox rather than cairo?
Ok, I sent an email to [email protected] for removal of "cpe:2.3:a:cairographics:cairo:-:*:*:*:*:*:*:*" from CVE-2013-0800 data citing the Debian details. I hope this was the correct way to do this. Cheers, -Mikko
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#146740): https://lists.openembedded.org/g/openembedded-core/message/146740 Mute This Topic: https://lists.openembedded.org/mt/79698844/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
