package/qt6base: properly ignore CVE-2023-32573

In commit
a9aa11544a ("package/qt6/qt6svg:
backport fix for CVE-2023-32573"), a fix for security issue
CVE-2023-32573 was added to qt6svg, with the appropriate
QT6SVG_IGNORE_CVES entry.

However, all CVEs against Qt are reported by the NVD on the qt:qt
vendor/product CPE. For example:

  https://nvd.nist.gov/vuln/detail/CVE-2023-32573

Therefore, the QT6SVG_IGNORE_CVES entry added has no effect, and
CVE-2023-32573 continues to be reported against our qt6base package.

The only reasonable option is to collect all such CVE ignore entries
for Qt modules into the qt6base package, which is the one that matches
with the qt:qt CPE identifier. This commit does just that, with an
hopefully appropriate comment in qt6base.mk that explains what's going
on.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/qt6/qt6base/qt6base.mk

@@ -27,6 +27,14 @@ QT6BASE_IGNORE_CVES += CVE-2023-34410
 # 0016-HTTP2-Delay-any-communication-until-encrypted-can-be.patch
 QT6BASE_IGNORE_CVES += CVE-2024-39936
 
+# All Qt CVEs are reported by NVD against the qt:qt vendor/product
+# CPE, so from a Buildroot perspective, they will all show up reported
+# on qt6base. The ignore CVE entries below are for other Qt modules,
+# but they need to be listed here to be properly accounted for.
+
+# qt6svg/0001-QSvgFont-Initialize-used-member-remove-unused.patch
+QT6BASE_IGNORE_CVES += CVE-2023-32573
+
 QT6BASE_CMAKE_BACKEND = ninja
 
 QT6BASE_LICENSE = \

package/qt6/qt6svg/qt6svg.mk

@@ -9,8 +9,6 @@ QT6SVG_SITE = $(QT6_SITE)
 QT6SVG_SOURCE = qtsvg-$(QT6_SOURCE_TARBALL_PREFIX)-$(QT6SVG_VERSION).tar.xz
 QT6SVG_INSTALL_STAGING = YES
 QT6SVG_SUPPORTS_IN_SOURCE_BUILD = NO
-# 0001-QSvgFont-Initialize-used-member-remove-unused.patch
-QT6SVG_IGNORE_CVES += CVE-2023-32573
 
 QT6SVG_CMAKE_BACKEND = ninja