Message ID | 20210421204235.5956-3-matthew.weber@rockwellcollins.com |
---|---|
State | Accepted |
Headers | show |
Series | Misc CVE ignores | expand |
>>>>> "Matt" == Matt Weber <matthew.weber@rockwellcollins.com> writes: > This CVE is only relevant to a build when the SUSE coreutils-i18n.patch > is included. The upstream codebase does not include this patch, nor > does Buildroot. > https://security-tracker.debian.org/tracker/CVE-2013-0221 > https://security-tracker.debian.org/tracker/CVE-2013-0222 > https://security-tracker.debian.org/tracker/CVE-2013-0223 > Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> > --- > package/coreutils/coreutils.mk | 4 ++++ > 1 file changed, 4 insertions(+) > diff --git a/package/coreutils/coreutils.mk b/package/coreutils/coreutils.mk > index 0e75cdfcda..65234a113e 100644 > --- a/package/coreutils/coreutils.mk > +++ b/package/coreutils/coreutils.mk > @@ -10,6 +10,10 @@ COREUTILS_SOURCE = coreutils-$(COREUTILS_VERSION).tar.xz > COREUTILS_LICENSE = GPL-3.0+ > COREUTILS_LICENSE_FILES = COPYING > COREUTILS_CPE_ID_VENDOR = gnu > +# Only when including SUSE coreutils-i18n.patch > +COREUTILS_IGNORE_CVES = CVE-2013-0221 > +COREUTILS_IGNORE_CVES += CVE-2013-0222 > +COREUTILS_IGNORE_CVES += CVE-2013-0223 NIT: There is no problem having multiple CVE's on the same line: COREUTILS_IGORE_CVES += CVE-2013-0221 CVE-2013-0222 CVE-2013-0223
diff --git a/package/coreutils/coreutils.mk b/package/coreutils/coreutils.mk index 0e75cdfcda..65234a113e 100644 --- a/package/coreutils/coreutils.mk +++ b/package/coreutils/coreutils.mk @@ -10,6 +10,10 @@ COREUTILS_SOURCE = coreutils-$(COREUTILS_VERSION).tar.xz COREUTILS_LICENSE = GPL-3.0+ COREUTILS_LICENSE_FILES = COPYING COREUTILS_CPE_ID_VENDOR = gnu +# Only when including SUSE coreutils-i18n.patch +COREUTILS_IGNORE_CVES = CVE-2013-0221 +COREUTILS_IGNORE_CVES += CVE-2013-0222 +COREUTILS_IGNORE_CVES += CVE-2013-0223 # We're patching m4/pthread-cond.m4 COREUTILS_AUTORECONF = YES
This CVE is only relevant to a build when the SUSE coreutils-i18n.patch is included. The upstream codebase does not include this patch, nor does Buildroot. https://security-tracker.debian.org/tracker/CVE-2013-0221 https://security-tracker.debian.org/tracker/CVE-2013-0222 https://security-tracker.debian.org/tracker/CVE-2013-0223 Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> --- package/coreutils/coreutils.mk | 4 ++++ 1 file changed, 4 insertions(+)