From 0542c12e893d774f33feb776aea7a6aa6746960c Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@arm.com>
Date: Fri, 3 Nov 2023 13:28:06 +0000
Subject: libxml2: ignore disputed CVE-2023-45322

This CVE is a use-after-free which theoretically can be an exploit
vector, but this UAF only occurs when malloc() fails.  As it's
unlikely that the user can orchestrate malloc() failures at just the
place to break on _this_ malloc and not others it is disputed that this
is actually a security issue.

The underlying bug has been fixed, and will be incorporated into the
next release.

(From OE-Core rev: 8c70e7cecb1beb30a5be4ea9bbc89c2f2e11853b)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-core/libxml/libxml2_2.11.5.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-core/libxml/libxml2_2.11.5.bb b/meta/recipes-core/libxml/libxml2_2.11.5.bb
index 4cf6dd09a9..fc82912df2 100644
--- a/meta/recipes-core/libxml/libxml2_2.11.5.bb
+++ b/meta/recipes-core/libxml/libxml2_2.11.5.bb
@@ -21,6 +21,9 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
 SRC_URI[archive.sha256sum] = "3727b078c360ec69fa869de14bd6f75d7ee8d36987b071e6928d4720a28df3a6"
 SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273"
 
+# Disputed as a security issue, but fixed in d39f780
+CVE_STATUS[CVE-2023-45322] = "disputed: issue requires memory allocation to fail"
+
 BINCONFIG = "${bindir}/xml2-config"
 
 PACKAGECONFIG ??= "python \
-- 
cgit v1.2.3-54-g00ecf