On Wed, Apr 10, 2024 at 10:26 AM Beniamin Sandu <[email protected]> wrote: > > I don't know how that CVE tool is doing the checks, but it's doing > something wrong. > Both the CVEs that are mentioned in the list, have nothing to do with > the current library that is built with the recipe. I am actually > curious as to who is using this library anyway, because it seems to be > some random implementation with a very similar name.
Its not random infact, pretty old implementation. > The widely used library is the one at: > https://github.com/arvidn/libtorrent (this is the one used in stuff > like Deluge, and other torrent software). > > CVE-2016-5301 was fixed in: https://github.com/arvidn/libtorrent/pull/782. > CVE-2009-1760 was fixed in: > https://github.com/arvidn/libtorrent/commit/eb2203abf51e63b1d5ba0c3e5d972936df96c31a > > Maybe we should replace the current recipe or add a separate one to > build the other library. Existing libtorrent in meta-oe is used by rotorrent recipe and I dont see more users of it so question is 1. Can rtorrent use the arvidn implementation ? if so then we can use it for libtorrent systemwide 2. Merge libtorrent into rtorrent recipe since its the only user of it and libtorrent recipe uses arvidn fork 3. Create a separate recipe for arvidn implementation > > On Wed, 10 Apr 2024 at 18:12, Khem Raj <[email protected]> wrote: > > > > Beniamin what is the resolution based on ? before we revert we should find > > > > On Wed, Apr 10, 2024 at 10:02 AM Marko, Peter <[email protected]> > > wrote: > > > > > > This CVE reappeared in > > > https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-master.txt > > > So it should not have been applied. > > > > > > Peter > > > > > > -----Original Message----- > > > From: [email protected] > > > <[email protected]> On Behalf Of Khem Raj via > > > lists.openembedded.org > > > Sent: Sunday, April 7, 2024 17:43 > > > To: [email protected]; Beniamin Sandu > > > <[email protected]> > > > Cc: Khem Raj <[email protected]> > > > Subject: Re: [oe] [meta-oe][PATCH] libtorrent: remove CVE mention > > > > > > > > > On Fri, 05 Apr 2024 16:13:35 +0100, Beniamin Sandu wrote: > > > > The CVE mentioned in the recipe applies to a different libtorrent > > > > library, from: > > > > https://github.com/arvidn/libtorrent > > > > > > > > > > > > > > Applied, thanks! > > > > > > [1/1] libtorrent: remove CVE mention > > > commit: 0597c931ffbadf2a2242d8ed9cccb8567953d489 > > > > > > Best regards, > > > -- > > > Khem Raj <[email protected]>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109909): https://lists.openembedded.org/g/openembedded-devel/message/109909 Mute This Topic: https://lists.openembedded.org/mt/105350320/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
