path: root/meta
diff options
authorMikko Rapeli <>2021-01-15 19:05:44 +0200
committerRichard Purdie <>2021-01-16 22:39:17 +0000
commit06b72a91b6dcf63fed437fd2105c59e922ba6525 (patch)
treeaff574ad1f4d361ef3f14190529c7a3ddc16130c /meta
parentef153ad36d0299e83a03af8f207686d0d8a238b3 (diff)
zip: whitelist CVE-2018-13410 and CVE-2018-13684 is disputed and also Debian considers it not a vulnerability: "Negligible security impact, would involve that a untrusted party controls the -TT value." is not for zip, also Debian concludes this: "NOT-FOR-US: smart contract implementation for ZIP" Signed-off-by: Mikko Rapeli <> Signed-off-by: Richard Purdie <>
Diffstat (limited to 'meta')
1 files changed, 6 insertions, 0 deletions
diff --git a/meta/recipes-extended/zip/ b/meta/recipes-extended/zip/
index c00a932763..97e5e57533 100644
--- a/meta/recipes-extended/zip/
+++ b/meta/recipes-extended/zip/
@@ -19,6 +19,12 @@ UPSTREAM_VERSION_UNKNOWN = "1"
SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
+# Disputed and also Debian doesn't consider a vulnerability
+CVE_CHECK_WHITELIST += "CVE-2018-13410"
+# Not for zip but for smart contract implementation for it
+CVE_CHECK_WHITELIST += "CVE-2018-13684"
# sets CFLAGS, but what Makefile actually uses is
# CFLAGS_NOOPT. It will also force -O3 optimization, overriding
# whatever we set.