diff options
author | Sana Kazi <Sana.Kazi@kpit.com> | 2022-05-16 12:53:23 +0530 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2022-05-25 19:34:39 -0700 |
commit | a38c92d8e9a2ff8a1753c90b5d459c212e131e52 (patch) | |
tree | 57fd890199382bf42a55fc16cb0062200c9228ed | |
parent | de4b76934c2012482208bfbd81fe5cc88a1a8eeb (diff) | |
download | meta-openembedded-contrib-a38c92d8e9a2ff8a1753c90b5d459c212e131e52.tar.gz |
openjpeg: Whitelist CVE-2020-27844 and CVE-2015-1239
Whitelist CVE-2020-27844 as it is introduced by
https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5
but the contents of this patch is not present in openjpeg_2.3.1
Link: https://security-tracker.debian.org/tracker/CVE-2020-27844
Whitelist CVE-2015-1239 as the CVE description clearly states that
j2k_read_ppm_v3 function in openjpeg is affected due to CVE-2015-1239
but in openjpeg_2.3.1 this function is not present.
Hence, CVE-2015-1239 does not affect openjpeg_2.3.1.
Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com>
Signed-off-by: Sana Kazi <sanakazisk19@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb index 218dc911fe..9cf513f3f7 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb @@ -33,3 +33,17 @@ inherit cmake EXTRA_OECMAKE += "-DOPENJPEG_INSTALL_LIB_DIR=${@d.getVar('baselib').replace('/', '')}" FILES_${PN} += "${libdir}/openjpeg*" + +# This flaw is introduced by +# https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5 +# but the contents of this patch is not present in openjpeg_2.3.1 +# Hence, it can be whitelisted. +# https://security-tracker.debian.org/tracker/CVE-2020-27844 + +CVE_CHECK_WHITELIST += "CVE-2020-27844" + +# The CVE description clearly states that j2k_read_ppm_v3 function in openjpeg +# is affected due to CVE-2015-1239 but in openjpeg_2.3.1 this function is not present. +# Hence, CVE-2015-1239 does not affect openjpeg_2.3.1 + +CVE_CHECK_WHITELIST += "CVE-2015-1239" |