Message ID | 20230824134101.41906-4-emkan@prevas.dk |
---|---|
State | New |
Headers | show |
Series | add missing CVE_PRODUCT | expand |
On 24 Aug 2023, at 14:41, Emil Kronborg Andersen via lists.openembedded.org <emkan=prevas.dk@lists.openembedded.org> wrote: > > Signed-off-by: Emil Kronborg Andersen <emkan@prevas.dk> > --- > meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.4.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.4.bb b/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.4.bb > index 2131f46213..5d5762456c 100644 > --- a/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.4.bb > +++ b/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.4.bb > @@ -33,3 +33,5 @@ do_install() { > PACKAGES = "${PN}" > > FILES:${PN} = "${datadir}/X11/locale ${libdir}/X11/locale" > + > +CVE_PRODUCT += "x.org:libx11” This is _just_ the compose data, is it feasible for this to have a CVE? Ross
Hi Ross, No, you are right. However, I think it would make sense to include CVE_PRODUCT in xorg-lib-common.inc instead. What do you think? Emil ________________________________ From: Ross Burton <Ross.Burton@arm.com> Sent: Friday, August 25, 2023 17:16 To: Emil Kronborg Andersen <emkan@prevas.dk> Cc: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> Subject: Re: [OE-core] [PATCH 3/3] libx11-compose-data: add CVE_PRODUCT On 24 Aug 2023, at 14:41, Emil Kronborg Andersen via lists.openembedded.org <emkan=prevas.dk@lists.openembedded.org> wrote: > > Signed-off-by: Emil Kronborg Andersen <emkan@prevas.dk> > --- > meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.4.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.4.bb b/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.4.bb > index 2131f46213..5d5762456c 100644 > --- a/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.4.bb > +++ b/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.4.bb > @@ -33,3 +33,5 @@ do_install() { > PACKAGES = "${PN}" > > FILES:${PN} = "${datadir}/X11/locale ${libdir}/X11/locale" > + > +CVE_PRODUCT += "x.org:libx11” This is _just_ the compose data, is it feasible for this to have a CVE? Ross
On 28 Aug 2023, at 08:18, Emil Kronborg Andersen <emkan@prevas.dk> wrote:
> No, you are right. However, I think it would make sense to include CVE_PRODUCT in xorg-lib-common.inc instead. What do you think?
That’s definitely wrong, as most of the X11 libraries use that file.
Ross
That is why I want to include it in that file. Doesn't it make sense to capture CVEs for x.org:libx11 if you use any of the libraries? Emil ________________________________ From: Ross Burton <Ross.Burton@arm.com> Sent: Tuesday, August 29, 2023 11:45 To: Emil Kronborg Andersen <emkan@prevas.dk> Cc: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> Subject: Re: [OE-core] [PATCH 3/3] libx11-compose-data: add CVE_PRODUCT On 28 Aug 2023, at 08:18, Emil Kronborg Andersen <emkan@prevas.dk> wrote: > No, you are right. However, I think it would make sense to include CVE_PRODUCT in xorg-lib-common.inc instead. What do you think? That’s definitely wrong, as most of the X11 libraries use that file. Ross
On 30 Aug 2023, at 07:37, Emil Kronborg Andersen <emkan@prevas.dk> wrote: > > That is why I want to include it in that file. Doesn't it make sense to capture CVEs for x.org:libx11 if you use any of the libraries? No, x.org <http://x.org/>:libx11 refers to libx11, not eg libxvmc. Ross
Alright. I thought libx11 was a dependency of the packages that include xorg-lib-common.inc, which is why I asked. So I guess this patch can just be dropped then? Do you need me to do anything further? Emil ________________________________ From: Ross Burton <Ross.Burton@arm.com> Sent: Wednesday, August 30, 2023 11:27 To: Emil Kronborg Andersen <emkan@prevas.dk> Cc: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> Subject: Re: [OE-core] [PATCH 3/3] libx11-compose-data: add CVE_PRODUCT On 30 Aug 2023, at 07:37, Emil Kronborg Andersen <emkan@prevas.dk> wrote: > > That is why I want to include it in that file. Doesn't it make sense to capture CVEs for x.org:libx11 if you use any of the libraries? No, x.org <http://x.org/>:libx11 refers to libx11, not eg libxvmc. Ross
> On 30 Aug 2023, at 10:47, Emil Kronborg Andersen <emkan@prevas.dk> wrote: > > Alright. I thought libx11 was a dependency of the packages that include xorg-lib-common.inc, which is why I asked. It _mostly_ is, but issues in libx11 will be reported by the libx11 recipe, not in packages that depend on libx11. > So I guess this patch can just be dropped then? Do you need me to do anything further? Nope, nothing else to do. Ross
diff --git a/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.4.bb b/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.4.bb index 2131f46213..5d5762456c 100644 --- a/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.4.bb +++ b/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.4.bb @@ -33,3 +33,5 @@ do_install() { PACKAGES = "${PN}" FILES:${PN} = "${datadir}/X11/locale ${libdir}/X11/locale" + +CVE_PRODUCT += "x.org:libx11"
Signed-off-by: Emil Kronborg Andersen <emkan@prevas.dk> --- meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.4.bb | 2 ++ 1 file changed, 2 insertions(+)