On Fri, 2021-01-15 at 11:46 +0000, [email protected] wrote: > On Fri, Jan 15, 2021 at 11:23:39AM +0000, Richard Purdie wrote: > > On Fri, 2021-01-15 at 12:47 +0200, Mikko Rapeli wrote: > > > It affects only cairo embedded into Firefox. > > > > > > https://security-tracker.debian.org/tracker/CVE-2013-0800 > > > > > > "The description is misleading: Firefox embeds a copy of Cairo, the > > > interdiff > > > shows the respective change at > > > mozilla-esr17/gfx/cairo/cairo/src/cairo-image-surface.c > > > Apparently the forked copy has changed, the code isn't present in vanilla > > > Cairo" > > > > > > Signed-off-by: Mikko Rapeli <[email protected]> > > > --- > > > meta/recipes-graphics/cairo/cairo_1.16.0.bb | 3 +++ > > > 1 file changed, 3 insertions(+) > > > > > > diff --git a/meta/recipes-graphics/cairo/cairo_1.16.0.bb > > > b/meta/recipes-graphics/cairo/cairo_1.16.0.bb > > > index 8663dec404..29088ab0d6 100644 > > > --- a/meta/recipes-graphics/cairo/cairo_1.16.0.bb > > > +++ b/meta/recipes-graphics/cairo/cairo_1.16.0.bb > > > @@ -29,6 +29,9 @@ SRC_URI = > > > "http://cairographics.org/releases/cairo-${PV}.tar.xz \ > > > file://CVE-2019-6462.patch \ > > > " > > > > > > > > > > > > > > > +# Affects only embedded cairo in Firefox > > > +CVE_CHECK_WHITELIST += "CVE-2013-0800" > > > + > > > > That sounds a lot like we should send a CPE change upstream to classify > > it as firefox rather than cairo? > > Ok, I sent an email to [email protected] for removal of > "cpe:2.3:a:cairographics:cairo:-:*:*:*:*:*:*:*" from CVE-2013-0800 data citing > the Debian details. > > I hope this was the correct way to do this.
Sounds good to me, thanks! Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#146741): https://lists.openembedded.org/g/openembedded-core/message/146741 Mute This Topic: https://lists.openembedded.org/mt/79698844/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
