From afb0d8d2c6131b413dbf77530b219213b1a0efa1 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sun, 16 Mar 2025 23:53:50 +0100 Subject: [PATCH] sox: mark CVEs included in hash update as fixed git log sox-14.4.2..HEAD | grep -o 'CVE-[0-9-]*' | sort -u CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370 CVE-2017-15371 CVE-2017-15372 CVE-2017-15642 CVE-2017-18189 CVE-2019-13590 CVE-2019-8354 CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 Following remaining CVEs are handled in commits: CVE-2019-1010004 - NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-1010004 - report: https://sourceforge.net/p/sox/bugs/299/ - patch: https://sourceforge.net/p/sox/code/ci/09d7388c8ad5701ed9c59d1d600ff6154b066397/ - same commit as CVE-2017-18189 as mentioned in NVD and bugreport texts - https://security-tracker.debian.org/tracker/CVE-2019-1010004 links it - it's only commit in src/xa.c in last 15 years Signed-off-by: Peter Marko Signed-off-by: Khem Raj --- meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index e3c228858c..e8294a05af 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -38,6 +38,14 @@ S = "${WORKDIR}/git" CVE_PRODUCT:append = " libsox_project:libsox sound_exchange_project:sound_exchange" +CVE_STATUS_GROUPS += "CVE_STATUS_HASH_UPDATE" +CVE_STATUS_HASH_UPDATE = " \ + CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370 CVE-2017-15371 \ + CVE-2017-15372 CVE-2017-15642 CVE-2017-18189 CVE-2019-13590 CVE-2019-8354 \ + CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 CVE-2019-1010004 \ +" +CVE_STATUS_HASH_UPDATE[status] = "fixed-version: patched in current git hash" + inherit autotools pkgconfig # Enable largefile support