[meta-oe][PATCH] lzo: add CVE_PRODUCT

[meta-oe][PATCH] lzo: add CVE_PRODUCT

[Marta Rybczynska]

lzo was missing CVE_PRODUCT and related CVEs (at least CVE-2014-4607) were
not reported.

Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
---
 meta/recipes-support/lzo/lzo_2.10.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-support/lzo/lzo_2.10.bb b/meta/recipes-support/lzo/lzo_2.10.bb
index 85b14b3c5c..31a229c7f5 100644
--- a/meta/recipes-support/lzo/lzo_2.10.bb
+++ b/meta/recipes-support/lzo/lzo_2.10.bb
@@ -18,6 +18,8 @@ SRC_URI[sha256sum] = "c0f892943208266f9b6543b3ae308fab6284c5c90e627931446fb49b42
 
 inherit autotools ptest
 
+CVE_PRODUCT = "oberhumer:lzo2"
+
 EXTRA_OECONF = "--enable-shared"
 
 do_install_ptest() {
-- 
2.30.2

Re: [OE-core] [meta-oe][PATCH] lzo: add CVE_PRODUCT

[Ross Burton]

This replaces the default value of 'lzo', it might be safer to use +=
so both this name and just lzo are searched for.

The CVE database isn't very reliable for consistent naming, so I
prefer to cover all bases.

Ross

On Thu, 19 Aug 2021 at 07:33, Marta Rybczynska <rybczynska@gmail.com> wrote:
>
> lzo was missing CVE_PRODUCT and related CVEs (at least CVE-2014-4607) were
> not reported.
>
> Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
> ---
>  meta/recipes-support/lzo/lzo_2.10.bb | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/meta/recipes-support/lzo/lzo_2.10.bb b/meta/recipes-support/lzo/lzo_2.10.bb
> index 85b14b3c5c..31a229c7f5 100644
> --- a/meta/recipes-support/lzo/lzo_2.10.bb
> +++ b/meta/recipes-support/lzo/lzo_2.10.bb
> @@ -18,6 +18,8 @@ SRC_URI[sha256sum] = "c0f892943208266f9b6543b3ae308fab6284c5c90e627931446fb49b42
>
>  inherit autotools ptest
>
> +CVE_PRODUCT = "oberhumer:lzo2"
> +
>  EXTRA_OECONF = "--enable-shared"
>
>  do_install_ptest() {
> --
> 2.30.2
>
>
> 
>

Re: [OE-core] [meta-oe][PATCH] lzo: add CVE_PRODUCT

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 1492 bytes --]

Thanks for looking into this. I've used the cve_check pass from
https://lists.openembedded.org/g/openembedded-core/message/154677
and just with 'lzo' there are no results. I can add both if that seems
safer, fine for me. Will submit a new version.

Regards,
Marta

On Thu, Aug 19, 2021 at 2:54 PM Ross Burton <ross@burtonini.com> wrote:

> This replaces the default value of 'lzo', it might be safer to use +=
> so both this name and just lzo are searched for.
>
> The CVE database isn't very reliable for consistent naming, so I
> prefer to cover all bases.
>
> Ross
>
> On Thu, 19 Aug 2021 at 07:33, Marta Rybczynska <rybczynska@gmail.com>
> wrote:
> >
> > lzo was missing CVE_PRODUCT and related CVEs (at least CVE-2014-4607)
> were
> > not reported.
> >
> > Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
> > ---
> >  meta/recipes-support/lzo/lzo_2.10.bb | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/meta/recipes-support/lzo/lzo_2.10.bb
> b/meta/recipes-support/lzo/lzo_2.10.bb
> > index 85b14b3c5c..31a229c7f5 100644
> > --- a/meta/recipes-support/lzo/lzo_2.10.bb
> > +++ b/meta/recipes-support/lzo/lzo_2.10.bb
> > @@ -18,6 +18,8 @@ SRC_URI[sha256sum] =
> "c0f892943208266f9b6543b3ae308fab6284c5c90e627931446fb49b42
> >
> >  inherit autotools ptest
> >
> > +CVE_PRODUCT = "oberhumer:lzo2"
> > +
> >  EXTRA_OECONF = "--enable-shared"
> >
> >  do_install_ptest() {
> > --
> > 2.30.2
> >
> >
> > 
> >
>

[-- Attachment #2: Type: text/html, Size: 2584 bytes --]