From patchwork Wed Apr  1 21:46:09 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Fabrice Fontaine <fontaine.fabrice@gmail.com>
X-Patchwork-Id: 1265365
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized)
	smtp.mailfrom=busybox.net (client-ip=140.211.166.138;
	helo=whitealder.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.a=rsa-sha256 header.s=20161025 header.b=BfItpnp2;
	dkim-atps=neutral
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 48t09k71CWz9sPF
	for <incoming-buildroot@patchwork.ozlabs.org>;
	Thu,  2 Apr 2020 08:45:30 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id E334087E23;
	Wed,  1 Apr 2020 21:45:26 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id BT7XS-lBUWGx; Wed,  1 Apr 2020 21:45:25 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by whitealder.osuosl.org (Postfix) with ESMTP id 0D47686A48;
	Wed,  1 Apr 2020 21:45:25 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	by ash.osuosl.org (Postfix) with ESMTP id 25E381BF47E
	for <buildroot@lists.busybox.net>;
	Wed,  1 Apr 2020 21:45:24 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id 1E5B5888F0
	for <buildroot@lists.busybox.net>;
	Wed,  1 Apr 2020 21:45:24 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id EvIgxsEV4f07 for <buildroot@lists.busybox.net>;
	Wed,  1 Apr 2020 21:45:23 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wm1-f66.google.com (mail-wm1-f66.google.com
	[209.85.128.66])
	by hemlock.osuosl.org (Postfix) with ESMTPS id 3C36687EA6
	for <buildroot@buildroot.org>; Wed,  1 Apr 2020 21:45:23 +0000 (UTC)
Received: by mail-wm1-f66.google.com with SMTP id i19so1460685wmb.0
	for <buildroot@buildroot.org>; Wed, 01 Apr 2020 14:45:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=JVvdBvkOuAiCA9+hL83raTgJz5RIYrBB48G8TarKL4c=;
	b=BfItpnp2ntgmQXjiwEmTvN1S7MfPM11iHDOMO0LOogIh0NWhPnnssXz3r0n+jKKFAK
	1feZLbB4DHVr11/Sc4kYnh9ehCe6fzI+jTdVvJ+yglxFPqWELy9hRLRHZKwWVsycqN2q
	bdo8j/dnsH/2Rab1E4cm2yWCGEtq8w47OilRY7ltxTfSDzNvKFlPXet8g77GXmvv21FH
	p9mwFF/b+ShMV0M7/cIPjbNGRShAK+k6IqCNo7x5/vHCkxIxeNW/iRVR0B+KEEZBqeF1
	SDQ/7PAbdwy4ypMSgfOIkvEnaV4vBCsXLIXaCYyazvvBpba2OGOrfvsj7Zw1ESX5yFJV
	0Fhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=JVvdBvkOuAiCA9+hL83raTgJz5RIYrBB48G8TarKL4c=;
	b=ATZhfSZrrY1Wuqpx1SWyclp2GN6QoXj8iGltdT/yu+pxid53vKfyZg/nr+9OMrkEk5
	vkMlTgpX4EKYc1MgjCyKm9ldo4evybcDAgETfInMtpWWCvAAVcbzRjJ8c1sOfz1yemic
	khZBzDpFXEbDGsZ6R5Jnh32TMqgDWcynS4cCOgsIUAZO+bpzMSa7/8KKq8/hdLJrndwu
	TcMIavFIqS1XGi+87fjKCS5ebUp2bkISt3oFoYQy5PIJ+EM5TL3dIDyXy62F0NYpaCsE
	PHWbl5l5LLFKWmbrjK+yeuvNg77a+6rYMSdY5sxl3PGDz7RtKIEiw7xzodMGmphWhRQU
	XUhw==
X-Gm-Message-State: AGi0PuZzE6cegnbxJlHBqhs19caLyYiWgMYp2MIzV/xt0TgpWSgyurE3
	wKnGtNgme4SL4JSJZSe3phd0nsqe
X-Google-Smtp-Source: 
 APiQypIsqZVIHoOO8ZNQB6hsSoq0cfO7IWVpekqgRAODN90D2WMPU+qJbPWp3Eac5hsOWc/vsnGdgQ==
X-Received: by 2002:a1c:f409:: with SMTP id z9mr45818wma.51.1585777521280;
	Wed, 01 Apr 2020 14:45:21 -0700 (PDT)
Received: from kali.home (lfbn-ren-1-403-35.w2-10.abo.wanadoo.fr.
	[2.10.23.35]) by smtp.gmail.com with ESMTPSA id
	f14sm4208397wmb.3.2020.04.01.14.45.20
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Wed, 01 Apr 2020 14:45:20 -0700 (PDT)
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
To: buildroot@buildroot.org
Date: Wed,  1 Apr 2020 23:46:09 +0200
Message-Id: <20200401214609.9184-1-fontaine.fabrice@gmail.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Subject: [Buildroot] [PATCH 1/1] package/libexif: annotate CVEs
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/libexif/libexif.mk | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/package/libexif/libexif.mk b/package/libexif/libexif.mk
index a4ec5ed3cb..643d9ed893 100644
--- a/package/libexif/libexif.mk
+++ b/package/libexif/libexif.mk
@@ -12,4 +12,13 @@ LIBEXIF_DEPENDENCIES = host-pkgconf
 LIBEXIF_LICENSE = LGPL-2.1+
 LIBEXIF_LICENSE_FILES = COPYING
 
+# 0001-fixes-some-not-all-buffer-overreads-during-decoding-.patch
+LIBEXIF_IGNORE_CVES += CVE-2016-6328
+# 0002-On-saving-makernotes-make-sure-the-makernote-contain.patch
+LIBEXIF_IGNORE_CVES += CVE-2017-7544
+# 0004-Improve-deep-recursion-detection-in-exif_data_load_d.patch
+LIBEXIF_IGNORE_CVES += CVE-2018-20030
+# 0005-fix-CVE-2019-9278.patch
+LIBEXIF_IGNORE_CVES += CVE-2019-9278
+
 $(eval $(autotools-package))