From: Ross Burton <ross.bur...@arm.com> CVE-2015-20107 describes an arbitrary command execution in the mailcap module, but this is by design in mailcap and needs to be worked around by the calling application.
Upstream Python will be documenting this flaw in the library reference, and it is likely that the mailcap module will be deprecated and removed in the future. Signed-off-by: Ross Burton <ross.bur...@arm.com> Signed-off-by: Luca Ceresoli <luca.ceres...@bootlin.com> Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org> (cherry picked from commit 85fac8408baf92d8b71946f5bfea92952b7eab01) Signed-off-by: Steve Sakoman <st...@sakoman.com> --- meta/recipes-devtools/python/python3_3.10.4.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-devtools/python/python3_3.10.4.bb b/meta/recipes-devtools/python/python3_3.10.4.bb index 7eaafe34ad..d678d55083 100644 --- a/meta/recipes-devtools/python/python3_3.10.4.bb +++ b/meta/recipes-devtools/python/python3_3.10.4.bb @@ -55,6 +55,9 @@ CVE_CHECK_IGNORE += "CVE-2007-4559" CVE_CHECK_IGNORE += "CVE-2019-18348" # These are specific to Microsoft Windows CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488" +# The mailcap module is insecure by design, so this can't be fixed in a meaningful way. +# The module will be removed in the future and flaws documented. +CVE_CHECK_IGNORE += "CVE-2015-20107" PYTHON_MAJMIN = "3.10" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#165021): https://lists.openembedded.org/g/openembedded-core/message/165021 Mute This Topic: https://lists.openembedded.org/mt/90779132/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
