[OE-core][PATCH] ffmpeg: ignore 10 CVEs

Peter Marko via lists.openembedded.org Tue, 03 Feb 2026 14:41:13 -0800

From: Peter Marko <[email protected]>

First group of CVEs got a bogus cpe update listing all tags since v7.0.
All CVEs were fixed in v7.0 except CVE-2025-22921 fixed in v8.0.


Second group has date CPE (2025-01-13) instead of version (v8.0).

Signed-off-by: Peter Marko <[email protected]>
---
 meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb 
b/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb
index d7afdd14f3..d564b47fd6 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb
@@ -171,3 +171,10 @@ FILES:libswscale = "${libdir}/libswscale${SOLIBS}"
 FILES:${PN}-examples = "${datadir}/${BPN}/examples"
 
 CVE_PRODUCT = "ffmpeg libswresample libavcodec"
+
+CVE_STATUS_GROUPS = "CVE_STATUS_WRONG_CPE"
+CVE_STATUS_WRONG_CPE = "CVE-2023-51791 CVE-2023-51793 CVE-2023-51794 
CVE-2023-51795 CVE-2023-51796 CVE-2023-51797 CVE-2023-51798 CVE-2025-22921"
+CVE_STATUS_WRONG_CPE[status] = "fixed-version: these CVEs are fixed in used 
version"
+
+CVE_STATUS[CVE-2025-25468] = "fixed-version: these CVEs are fixed since v8.0"
+CVE_STATUS[CVE-2025-25469] = "fixed-version: these CVEs are fixed since v8.0"

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#230487): 
https://lists.openembedded.org/g/openembedded-core/message/230487
Mute This Topic: https://lists.openembedded.org/mt/117625015/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] ffmpeg: ignore 10 CVEs

Reply via email to