From b881a288eec598002685f68da80a24e0478fa496 Mon Sep 17 00:00:00 2001
From: André Draszik <adraszik@tycoint.com>
Date: Fri, 4 Nov 2016 11:06:31 +0000
Subject: cve-check.bbclass: CVE-2014-2524 / readline v5.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Contrary to the CVE report, the vulnerable trace functions
don't exist in readline v5.2 (which we keep for GPLv2+
purposes), they were added in readline v6.0 only - let's
whitelist that CVE in order to avoid false positives.

See also the discussion in
 https://patchwork.openembedded.org/patch/81765/

Signed-off-by: André Draszik <adraszik@tycoint.com>
Reviewed-by: Lukasz Nowak <lnowak@tycoint.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
---
 meta/classes/cve-check.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 1425a40554..b0febfb2e5 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -39,7 +39,7 @@ CVE_CHECK_PN_WHITELIST = "\
 
 # Whitelist for CVE and version of package
 CVE_CHECK_CVE_WHITELIST = "{\
-    'CVE-2014-2524': ('6.3',), \
+    'CVE-2014-2524': ('6.3','5.2',), \
 }"
 
 python do_cve_check () {
-- 
cgit 1.2.3-korg