[nanbield,2/7] libxml2: ignore disputed CVE-2023-45322

Message ID	20231103132811.2074247-2-ross.burton@arm.com
State	New, archived
Headers	show Return-Path: <ross.burton@arm.com> ip: 217.140.110.172, mailfrom: ross.burton@arm.com) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH][nanbield 2/7] libxml2: ignore disputed CVE-2023-45322 Date: Fri, 3 Nov 2023 13:28:06 +0000 Message-Id: <20231103132811.2074247-2-ross.burton@arm.com> In-Reply-To: <20231103132811.2074247-1-ross.burton@arm.com> References: <20231103132811.2074247-1-ross.burton@arm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	[nanbield,1/7] linux-yocto: update CVE exclusions \| expand [nanbield,1/7] linux-yocto: update CVE exclusions [nanbield,2/7] libxml2: ignore disputed CVE-2023-45322 [nanbield,3/7] zlib: ignore CVE-2023-45853 [nanbield,4/7] pixman: ignore CVE-2023-37769 [nanbield,5/7] cve-check: sort the package list in the JSON report [nanbield,6/7] cve-check: slightly more verbose warning when adding the same package twice [nanbield,7/7] cve-check: don't warn if a patch is remote

Message ID

20231103132811.2074247-2-ross.burton@arm.com

State

New, archived

Headers

From: ross.burton@arm.com
To: openembedded-core@lists.openembedded.org
Cc: nd@arm.com
Subject: [PATCH][nanbield 2/7] libxml2: ignore disputed CVE-2023-45322
Date: Fri,  3 Nov 2023 13:28:06 +0000
Message-Id: <20231103132811.2074247-2-ross.burton@arm.com>
In-Reply-To: <20231103132811.2074247-1-ross.burton@arm.com>
References: <20231103132811.2074247-1-ross.burton@arm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Series

[nanbield,1/7] linux-yocto: update CVE exclusions | expand

Commit Message

Ross Burton Nov. 3, 2023, 1:28 p.m. UTC

From: Ross Burton <ross.burton@arm.com>

This CVE is a use-after-free which theoretically can be an exploit
vector, but this UAF only occurs when malloc() fails.  As it's
unlikely that the user can orchestrate malloc() failures at just the
place to break on _this_ malloc and not others it is disputed that this
is actually a security issue.

The underlying bug has been fixed, and will be incorporated into the
next release.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/recipes-core/libxml/libxml2_2.11.5.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-core/libxml/libxml2_2.11.5.bb b/meta/recipes-core/libxml/libxml2_2.11.5.bb
index 4cf6dd09a9a..fc82912df25 100644
--- a/meta/recipes-core/libxml/libxml2_2.11.5.bb
+++ b/meta/recipes-core/libxml/libxml2_2.11.5.bb
@@ -21,6 +21,9 @@  SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
 SRC_URI[archive.sha256sum] = "3727b078c360ec69fa869de14bd6f75d7ee8d36987b071e6928d4720a28df3a6"
 SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273"
 
+# Disputed as a security issue, but fixed in d39f780
+CVE_STATUS[CVE-2023-45322] = "disputed: issue requires memory allocation to fail"
+
 BINCONFIG = "${bindir}/xml2-config"
 
 PACKAGECONFIG ??= "python \

[nanbield,2/7] libxml2: ignore disputed CVE-2023-45322

Commit Message

Patch