cve-extra-exclusion: ignore disputed CVE-2023-23005

(From OE-Core rev: 39274240b7756f498507b229d5f3461c207f1823) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Reviewed-by: Frank WOLFF <frank.wolff@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yoann Congal <yoann.congal@smile.fr> 2023-04-06 16:19:23 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-04-12 14:17:09 +0100
commit: 7ebcf1477a3660dfe77f1eaf6496572d1bbdc890 (patch)
tree: 484a28db928b13d91d171d2aed372bc90292e222
parent: fe76a450eb162ba054c863adddfae72b618edd68 (diff)
download: poky-7ebcf1477a3660dfe77f1eaf6496572d1bbdc890.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 0b89598501..439d569f7d 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -485,6 +485,16 @@ CVE_CHECK_IGNORE += "CVE-2023-1281"
 # Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb
 CVE_CHECK_IGNORE += "CVE-2023-1513"
+# https://nvd.nist.gov/vuln/detail/CVE-2023-23005
+# Introduced in version v6.1 7b88bda3761b95856cf97822efe8281c8100067b
+# Patched in kernel since v6.2 4a625ceee8a0ab0273534cb6b432ce6b331db5ee
+# But, the CVE is disputed:
+# > NOTE: this is disputed by third parties because there are no realistic cases
+# > in which a user can cause the alloc_memory_type error case to be reached.
+# See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2
+# We can safely ignore it.
+CVE_CHECK_IGNORE += "CVE-2023-23005"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-28466
 # Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
 # Patched in kernel since v6.3-rc2 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962
author	Yoann Congal <yoann.congal@smile.fr>	2023-04-06 16:19:23 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-04-12 14:17:09 +0100
commit	7ebcf1477a3660dfe77f1eaf6496572d1bbdc890 (patch)
tree	484a28db928b13d91d171d2aed372bc90292e222
parent	fe76a450eb162ba054c863adddfae72b618edd68 (diff)
download	poky-7ebcf1477a3660dfe77f1eaf6496572d1bbdc890.tar.gz

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index 0b89598501..439d569f7d 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -485,6 +485,16 @@ CVE_CHECK_IGNORE += "CVE-2023-1281"
485	# Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb	485	# Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb
486	CVE_CHECK_IGNORE += "CVE-2023-1513"	486	CVE_CHECK_IGNORE += "CVE-2023-1513"
487		487
		488	# https://nvd.nist.gov/vuln/detail/CVE-2023-23005
		489	# Introduced in version v6.1 7b88bda3761b95856cf97822efe8281c8100067b
		490	# Patched in kernel since v6.2 4a625ceee8a0ab0273534cb6b432ce6b331db5ee
		491	# But, the CVE is disputed:
		492	# > NOTE: this is disputed by third parties because there are no realistic cases
		493	# > in which a user can cause the alloc_memory_type error case to be reached.
		494	# See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2
		495	# We can safely ignore it.
		496	CVE_CHECK_IGNORE += "CVE-2023-23005"
		497
488	# https://nvd.nist.gov/vuln/detail/CVE-2023-28466	498	# https://nvd.nist.gov/vuln/detail/CVE-2023-28466
489	# Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218	499	# Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
490	# Patched in kernel since v6.3-rc2 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962	500	# Patched in kernel since v6.3-rc2 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962