[PATCH] rpm: Exclude CVE-2021-20266 from cve-check

[PATCH] rpm: Exclude CVE-2021-20266 from cve-check

[Richard Purdie]

This is included in the release we have, it was the reason for the last rpm
point release.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-devtools/rpm/rpm_4.16.1.3.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb b/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
index 2857cd730c4..760adab02b5 100644
--- a/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
@@ -51,6 +51,10 @@ S = "${WORKDIR}/git"
 # included in 4.16.1.3
 CVE_CHECK_WHIETLIST += "CVE-2021-20271"
 
+# Fix https://github.com/rpm-software-management/rpm/commit/2e21a178fcc76565c09ed3a28624ca8aeda1880a
+# included in 4.16.1.3
+CVE_CHECK_WHIETLIST += "CVE-2021-20266"
+
 DEPENDS = "libgcrypt db file popt xz bzip2 elfutils python3"
 DEPENDS_append_class-native = " file-replacement-native bzip2-replacement-native"
 
-- 
2.30.2

Re: [OE-core] [PATCH] rpm: Exclude CVE-2021-20266 from cve-check

[Jacob Kroon]

On 5/17/21 11:48 AM, Richard Purdie wrote:
> This is included in the release we have, it was the reason for the last rpm
> point release.
> 
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> ---
>   meta/recipes-devtools/rpm/rpm_4.16.1.3.bb | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb b/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
> index 2857cd730c4..760adab02b5 100644
> --- a/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
> +++ b/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
> @@ -51,6 +51,10 @@ S = "${WORKDIR}/git"
>   # included in 4.16.1.3
>   CVE_CHECK_WHIETLIST += "CVE-2021-20271"
>   
> +# Fix https://github.com/rpm-software-management/rpm/commit/2e21a178fcc76565c09ed3a28624ca8aeda1880a
> +# included in 4.16.1.3
> +CVE_CHECK_WHIETLIST += "CVE-2021-20266"
> +

Is the same spelling already exists above, but is that really 
intentional, "WHIET" instead of "WHITE" ?

/Jacob

>   DEPENDS = "libgcrypt db file popt xz bzip2 elfutils python3"
>   DEPENDS_append_class-native = " file-replacement-native bzip2-replacement-native"
>   
> 
> 
> 
> 
> 

Re: [OE-core] [PATCH] rpm: Exclude CVE-2021-20266 from cve-check

[Richard Purdie]

On Mon, 2021-05-17 at 11:50 +0200, Jacob Kroon wrote:
> 
> On 5/17/21 11:48 AM, Richard Purdie wrote:
> > This is included in the release we have, it was the reason for the last rpm
> > point release.
> > 
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > ---
> >   meta/recipes-devtools/rpm/rpm_4.16.1.3.bb | 4 ++++
> >   1 file changed, 4 insertions(+)
> > 
> > diff --git a/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb b/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
> > index 2857cd730c4..760adab02b5 100644
> > --- a/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
> > +++ b/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
> > @@ -51,6 +51,10 @@ S = "${WORKDIR}/git"
> >   # included in 4.16.1.3
> >   CVE_CHECK_WHIETLIST += "CVE-2021-20271"
> >   
> > 
> > 
> > 
> > +# Fix https://github.com/rpm-software-management/rpm/commit/2e21a178fcc76565c09ed3a28624ca8aeda1880a
> > +# included in 4.16.1.3
> > +CVE_CHECK_WHIETLIST += "CVE-2021-20266"
> > +
> 
> Is the same spelling already exists above, but is that really 
> intentional, "WHIET" instead of "WHITE" ?

Well spotted, I'll fix that, thanks.

Cheers,

Richard

Re: [OE-core] [PATCH] rpm: Exclude CVE-2021-20266 from cve-check

[Richard Purdie]

On Mon, 2021-05-17 at 10:56 +0100, Richard Purdie via lists.openembedded.org wrote:
> On Mon, 2021-05-17 at 11:50 +0200, Jacob Kroon wrote:
> > 
> > On 5/17/21 11:48 AM, Richard Purdie wrote:
> > > This is included in the release we have, it was the reason for the last rpm
> > > point release.
> > > 
> > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > > ---
> > >   meta/recipes-devtools/rpm/rpm_4.16.1.3.bb | 4 ++++
> > >   1 file changed, 4 insertions(+)
> > > 
> > > diff --git a/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb b/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
> > > index 2857cd730c4..760adab02b5 100644
> > > --- a/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
> > > +++ b/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
> > > @@ -51,6 +51,10 @@ S = "${WORKDIR}/git"
> > >   # included in 4.16.1.3
> > >   CVE_CHECK_WHIETLIST += "CVE-2021-20271"
> > >   
> > > 
> > > 
> > > 
> > > +# Fix https://github.com/rpm-software-management/rpm/commit/2e21a178fcc76565c09ed3a28624ca8aeda1880a
> > > +# included in 4.16.1.3
> > > +CVE_CHECK_WHIETLIST += "CVE-2021-20266"
> > > +
> > 
> > Is the same spelling already exists above, but is that really 
> > intentional, "WHIET" instead of "WHITE" ?
> 
> Well spotted, I'll fix that, thanks.

The upstream database updated so we can remove that entry. I've sent a CPE update
for this issue so whilst I'll leave this patch in -next, we may be able to simply
remove the other entry and not add this one.

Cheers,

Richard