[meta-oe][master][kirkstone][PATCH] libplist: ignore patched CVEs

[meta-oe][master][kirkstone][PATCH] libplist: ignore patched CVEs

[Davide Gardenal]

CVE-2017-5834, CVE-2017-5835 and CVE-2017-5836 are patched in our
version of libplist but they don't have a vulnerable version range in
the NVD database, that's why they need to be ignored.

Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
---
 meta-oe/recipes-extended/libimobiledevice/libplist_2.2.0.bb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/meta-oe/recipes-extended/libimobiledevice/libplist_2.2.0.bb b/meta-oe/recipes-extended/libimobiledevice/libplist_2.2.0.bb
index db4f507b7..daaff0039 100644
--- a/meta-oe/recipes-extended/libimobiledevice/libplist_2.2.0.bb
+++ b/meta-oe/recipes-extended/libimobiledevice/libplist_2.2.0.bb
@@ -13,6 +13,12 @@ SRC_URI = "git://github.com/libimobiledevice/libplist;protocol=https;branch=mast
 
 S = "${WORKDIR}/git"
 
+CVE_CHECK_IGNORE += "\
+    CVE-2017-5834 \
+    CVE-2017-5835 \
+    CVE-2017-5836 \
+"
+
 do_install:append () {
     if [ -e ${D}${libdir}/python*/site-packages/plist/_plist.so ]; then
         chrpath -d ${D}${libdir}/python*/site-packages/plist/_plist.so
-- 
2.34.1

[meta-oe][master][kirkstone][PATCH] meta-oe: ignore patched CVEs

[Davide Gardenal]

Some old CVEs don't have a vulnerable version range in the NVD database,
this causes come mismatch with cve-check. Ignore many CVEs that are
picked up by the class but are patched in our products.

Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
---
 meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb | 4 ++++
 meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb         | 4 ++++
 meta-oe/recipes-extended/sanlock/sanlock_3.8.4.bb         | 4 ++++
 meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb   | 4 ++++
 meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb      | 4 ++++
 meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb          | 4 ++++
 meta-oe/recipes-support/atop/atop_2.4.0.bb                | 4 ++++
 meta-oe/recipes-support/emacs/emacs_27.2.bb               | 4 ++++
 meta-oe/recipes-support/pidgin/pidgin_2.14.2.bb           | 5 +++++
 10 files changed, 37 insertions(+)

diff --git a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb
index 2fa24b29b..28a3e1e77 100644
--- a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb
+++ b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb
@@ -11,6 +11,10 @@ SRC_URI = "git://github.com/rakshasa/libtorrent;branch=master;protocol=https \
            "
 SRCREV = "756f70010779927dc0691e1e722ed433d5d295e1"
 
+CVE_CHECK_IGNORE += "\
+    CVE-2009-1760 \
+"
+
 PV = "0.13.8"
 
 S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb b/meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb
index e9cb7adb8..df90b629a 100644
--- a/meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb
+++ b/meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb
@@ -18,6 +18,10 @@ SRC_URI[sha256sum] = "53e15a2b5c1bc80161d42e9f69792a3fa18332b7b771910131004eb520
 
 S = "${WORKDIR}/imap-${PV}"
 
+CVE_CHECK_IGNORE += "\
+    CVE-2005-0198 \
+"
+
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
 PACKAGECONFIG[pam] = ",,libpam"
 
diff --git a/meta-oe/recipes-extended/sanlock/sanlock_3.8.4.bb b/meta-oe/recipes-extended/sanlock/sanlock_3.8.4.bb
index ecbfad394..a59a5c41d 100644
--- a/meta-oe/recipes-extended/sanlock/sanlock_3.8.4.bb
+++ b/meta-oe/recipes-extended/sanlock/sanlock_3.8.4.bb
@@ -21,6 +21,10 @@ SRCREV = "a181e951376d49a82eef17920c8ebedec80b4823"
 
 S = "${WORKDIR}/git"
 
+CVE_CHECK_IGNORE += "\
+    CVE-2012-5638 \
+"
+
 DEPENDS = "libaio util-linux"
 
 inherit setuptools3 useradd
diff --git a/meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb b/meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb
index 7e00f150d..4b9ae4758 100644
--- a/meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb
+++ b/meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb
@@ -32,6 +32,10 @@ SRC_URI = "http://downloads.sourceforge.net/sblim/${BP}.tar.bz2 \
 SRC_URI[md5sum] = "28021cdabc73690a94f4f9d57254ce30"
 SRC_URI[sha256sum] = "634a67b2f7ac3b386a79160eb44413d618e33e4e7fc74ae68b0240484af149dd"
 
+CVE_CHECK_IGNORE += "\
+    CVE-2012-3381 \
+"
+
 inherit autotools
 inherit systemd
 
diff --git a/meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb b/meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb
index aa597cd8e..5666a6229 100644
--- a/meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb
+++ b/meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb
@@ -31,6 +31,10 @@ SRC_URI:append:class-nativesdk = "\
 
 SRC_URI[sha256sum] = "6b16bf990df114195be669773a1dae975dbbffada45e1de2849ddeb5851bb9a8"
 
+CVE_CHECK_IGNORE += "\
+    CVE-2014-9157 \
+"
+
 PACKAGECONFIG ??= "librsvg"
 PACKAGECONFIG[librsvg] = "--with-librsvg,--without-librsvg,librsvg"
 
diff --git a/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb b/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb
index 4c17105a9..b6214d982 100644
--- a/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb
+++ b/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb
@@ -6,6 +6,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a80440d1d8f17d041c71c7271d6e06eb"
 SRC_URI = "git://github.com/jasper-software/jasper.git;protocol=https;branch=master"
 SRCREV = "fe00207dc10db1d7cc6f2757961c5c6bdfd10973"
 
+CVE_CHECK_IGNORE += "\
+    CVE-2015-8751 \
+"
+
 S = "${WORKDIR}/git"
 
 inherit cmake
diff --git a/meta-oe/recipes-support/atop/atop_2.4.0.bb b/meta-oe/recipes-support/atop/atop_2.4.0.bb
index 35540b3b8..b1d2abde7 100644
--- a/meta-oe/recipes-support/atop/atop_2.4.0.bb
+++ b/meta-oe/recipes-support/atop/atop_2.4.0.bb
@@ -24,6 +24,10 @@ SRC_URI = "http://www.atoptool.nl/download/${BP}.tar.gz \
 SRC_URI[md5sum] = "1077da884ed94f2bc3c81ac3ab970436"
 SRC_URI[sha256sum] = "be1c010a77086b7d98376fce96514afcd73c3f20a8d1fe01520899ff69a73d69"
 
+CVE_CHECK_IGNORE += "\
+    CVE-2011-3618 \
+"
+
 do_compile() {
     oe_runmake all
 }
diff --git a/meta-oe/recipes-support/emacs/emacs_27.2.bb b/meta-oe/recipes-support/emacs/emacs_27.2.bb
index b78dc5e45..4a7e7aba5 100644
--- a/meta-oe/recipes-support/emacs/emacs_27.2.bb
+++ b/meta-oe/recipes-support/emacs/emacs_27.2.bb
@@ -11,6 +11,10 @@ SRC_URI:append:class-target = " file://usemake-docfile-native.patch"
 
 SRC_URI[sha256sum] = "b4a7cc4e78e63f378624e0919215b910af5bb2a0afc819fad298272e9f40c1b9"
 
+CVE_CHECK_IGNORE = "\
+    CVE-2007-6109 \
+"
+
 PACKAGECONFIG[gnutls] = "--with-gnutls=yes,--with-gnutls=no,gnutls"
 PACKAGECONFIG[kerberos] = "--with-kerberos=yes,--with-kerberos=no,krb5"
 PACKAGECONFIG[libgmp] = "--with-libgmp=yes,--with-libgmp=no,gmp"
diff --git a/meta-oe/recipes-support/pidgin/pidgin_2.14.2.bb b/meta-oe/recipes-support/pidgin/pidgin_2.14.2.bb
index 14b1aaf01..3d8a45786 100644
--- a/meta-oe/recipes-support/pidgin/pidgin_2.14.2.bb
+++ b/meta-oe/recipes-support/pidgin/pidgin_2.14.2.bb
@@ -15,6 +15,11 @@ SRC_URI = "\
 
 SRC_URI[sha256sum] = "19654ad276b149646371fbdac21bc7620742f2975f7399fed0ffc1a18fbaf603"
 
+CVE_CHECK_IGNORE += "\
+    CVE-2010-1624 \
+    CVE-2011-3594 \
+"
+
 PACKAGECONFIG ??= "gnutls consoleui avahi dbus idn nss \
     ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11 gtk startup-notification', '', d)} \
 "
-- 
2.34.1

[meta-oe][kirkstone][PATCH] openjpeg: ignore CVE-2015-1239

[Davide Gardenal]

This CVE is patched in our version of openjpeg. The NVD database doesn't
include a version range this is why it's still reported.

Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
---
 meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
index f248619ec..42d2b4efb 100644
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
@@ -15,6 +15,10 @@ SRC_URI = " \
 SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"
 S = "${WORKDIR}/git"
 
+CVE_CHECK_IGNORE += "\
+    CVE-2015-1239 \
+"
+
 inherit cmake
 
 # for multilib
-- 
2.34.1

[meta-oe][master][PATCH] openjpeg: ignore CVE-2015-1239

[Davide Gardenal]

This CVE is patched in our version of openjpeg. The NVD database doesn't
include a version range this is why it's still reported.

Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
---
 meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.0.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.0.bb
index c71e53564..379165718 100644
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.0.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.0.bb
@@ -11,6 +11,10 @@ SRC_URI = "git://github.com/uclouvain/openjpeg.git;branch=master;protocol=https
 SRCREV = "a5891555eb49ed7cc26b2901ea680acda136d811"
 S = "${WORKDIR}/git"
 
+CVE_CHECK_IGNORE += "\
+    CVE-2015-1239 \
+"
+
 inherit cmake
 
 # for multilib
-- 
2.34.1

[meta-oe][master][kirkstone][PATCH] php: ignore patched CVEs

[Davide Gardenal]

CVE-2007-2728, CVE-2007-3205 and CVE-2007-4596 are patched in our
version of php but they don't have a vulnerable version range in the
NVD database, that's why they need to be ignored.

Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
---
 meta-oe/recipes-devtools/php/php_8.1.7.bb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/meta-oe/recipes-devtools/php/php_8.1.7.bb b/meta-oe/recipes-devtools/php/php_8.1.7.bb
index 043f3a81b..963ba6f27 100644
--- a/meta-oe/recipes-devtools/php/php_8.1.7.bb
+++ b/meta-oe/recipes-devtools/php/php_8.1.7.bb
@@ -35,6 +35,12 @@ SRC_URI:append:class-target = " \
 S = "${WORKDIR}/php-${PV}"
 SRC_URI[sha256sum] = "b816753eb005511e695d90945c27093c3236cc73db1262656d9fadd73ead7e9d"
 
+CVE_CHECK_IGNORE += "\
+    CVE-2007-2728 \
+    CVE-2007-3205 \
+    CVE-2007-4596 \
+"
+
 inherit autotools pkgconfig python3native gettext
 
 # phpize is not scanned for absolute paths by default (but php-config is).
-- 
2.34.1

[meta-oe][master][kirkstone][PATCH] postgresql: ignore unrelated CVE

[Davide Gardenal]

CVE-2017-8806 doesn't apply to out configuration of postgresql so we
can safely ignore it.

Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
---
 meta-oe/recipes-dbs/postgresql/postgresql_14.4.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_14.4.bb b/meta-oe/recipes-dbs/postgresql/postgresql_14.4.bb
index 01a6ee635..64e83b2cd 100644
--- a/meta-oe/recipes-dbs/postgresql/postgresql_14.4.bb
+++ b/meta-oe/recipes-dbs/postgresql/postgresql_14.4.bb
@@ -11,3 +11,7 @@ SRC_URI += "\
 "
 
 SRC_URI[sha256sum] = "c23b6237c5231c791511bdc79098617d6852e9e3bdf360efd8b5d15a1a3d8f6a"
+
+CVE_CHECK_IGNORE += "\
+   CVE-2017-8806 \
+"
-- 
2.34.1