libarchive: ignore CVE-2023-30571

This issue was reported and discusses under [1] which is linked in NVD CVE report. It was already documented that some parts or libarchive are thread safe and some not. [2] was now merged to document that also reported function is not thread safe. So this CVE *now* reports thread race condition for non-thread-safe function. And as such the CVE report is now invalid. The issue is still not closed for 2 reasons: * better document what is and what is not thread safe * request to public if someone could make these functions thread safe This should however not invalidate above statment about ignoring this CVE. [1] https://github.com/libarchive/libarchive/issues/1876 [2] https://github.com/libarchive/libarchive/pull/1875 (From OE-Core rev: 9b5b850d6a6982bb8ff14dcfbb6769b293638293) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Peter Marko <peter.marko@siemens.com> 2023-07-29 20:21:48 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-07-30 12:00:15 +0100
commit: 5dd5f0f5348594a0b636ef05a87381b997db4fb5 (patch)
tree: 0c7114b79e98cb777c4be332053935e83bd0d3d8 /meta/recipes-extended/libarchive
parent: 2f54f9bc01a76b3faebf648c949cf196083c5331 (diff)
download: poky-5dd5f0f5348594a0b636ef05a87381b997db4fb5.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
index bf14725dc1..4169a012fd 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
@@ -34,6 +34,8 @@ UPSTREAM_CHECK_URI = "http://libarchive.org/"
 SRC_URI[sha256sum] = "ba6d02f15ba04aba9c23fd5f236bb234eab9d5209e95d1c4df85c44d5f19b9b3"
+CVE_STATUS[CVE-2023-30571] = "upstream-wontfix: upstream has documented that reported function is not thread-safe"
 inherit autotools update-alternatives pkgconfig
 CPPFLAGS += "-I${WORKDIR}/extra-includes"
author	Peter Marko <peter.marko@siemens.com>	2023-07-29 20:21:48 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-07-30 12:00:15 +0100
commit	5dd5f0f5348594a0b636ef05a87381b997db4fb5 (patch)
tree	0c7114b79e98cb777c4be332053935e83bd0d3d8 /meta/recipes-extended/libarchive
parent	2f54f9bc01a76b3faebf648c949cf196083c5331 (diff)
download	poky-5dd5f0f5348594a0b636ef05a87381b997db4fb5.tar.gz

diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb index bf14725dc1..4169a012fd 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
@@ -34,6 +34,8 @@ UPSTREAM_CHECK_URI = "http://libarchive.org/"
34		34
35	SRC_URI[sha256sum] = "ba6d02f15ba04aba9c23fd5f236bb234eab9d5209e95d1c4df85c44d5f19b9b3"	35	SRC_URI[sha256sum] = "ba6d02f15ba04aba9c23fd5f236bb234eab9d5209e95d1c4df85c44d5f19b9b3"
36		36
		37	CVE_STATUS[CVE-2023-30571] = "upstream-wontfix: upstream has documented that reported function is not thread-safe"
		38
37	inherit autotools update-alternatives pkgconfig	39	inherit autotools update-alternatives pkgconfig
38		40
39	CPPFLAGS += "-I${WORKDIR}/extra-includes"	41	CPPFLAGS += "-I${WORKDIR}/extra-includes"