From 498406cfdbf0f7bacd92bf93b04b2943a30d15fe Mon Sep 17 00:00:00 2001 From: Thomas Petazzoni Date: Tue, 31 Dec 2024 11:55:35 +0100 Subject: [PATCH] package/qt6base: properly ignore CVE-2023-32573 In commit a9aa11544a1358609aee8446723898c6b5f22689 ("package/qt6/qt6svg: backport fix for CVE-2023-32573"), a fix for security issue CVE-2023-32573 was added to qt6svg, with the appropriate QT6SVG_IGNORE_CVES entry. However, all CVEs against Qt are reported by the NVD on the qt:qt vendor/product CPE. For example: https://nvd.nist.gov/vuln/detail/CVE-2023-32573 Therefore, the QT6SVG_IGNORE_CVES entry added has no effect, and CVE-2023-32573 continues to be reported against our qt6base package. The only reasonable option is to collect all such CVE ignore entries for Qt modules into the qt6base package, which is the one that matches with the qt:qt CPE identifier. This commit does just that, with an hopefully appropriate comment in qt6base.mk that explains what's going on. Signed-off-by: Thomas Petazzoni Signed-off-by: Peter Korsgaard --- package/qt6/qt6base/qt6base.mk | 8 ++++++++ package/qt6/qt6svg/qt6svg.mk | 2 -- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/package/qt6/qt6base/qt6base.mk b/package/qt6/qt6base/qt6base.mk index ab6764cbbe..3d45079747 100644 --- a/package/qt6/qt6base/qt6base.mk +++ b/package/qt6/qt6base/qt6base.mk @@ -27,6 +27,14 @@ QT6BASE_IGNORE_CVES += CVE-2023-34410 # 0016-HTTP2-Delay-any-communication-until-encrypted-can-be.patch QT6BASE_IGNORE_CVES += CVE-2024-39936 +# All Qt CVEs are reported by NVD against the qt:qt vendor/product +# CPE, so from a Buildroot perspective, they will all show up reported +# on qt6base. The ignore CVE entries below are for other Qt modules, +# but they need to be listed here to be properly accounted for. + +# qt6svg/0001-QSvgFont-Initialize-used-member-remove-unused.patch +QT6BASE_IGNORE_CVES += CVE-2023-32573 + QT6BASE_CMAKE_BACKEND = ninja QT6BASE_LICENSE = \ diff --git a/package/qt6/qt6svg/qt6svg.mk b/package/qt6/qt6svg/qt6svg.mk index 4386556548..25e87dd208 100644 --- a/package/qt6/qt6svg/qt6svg.mk +++ b/package/qt6/qt6svg/qt6svg.mk @@ -9,8 +9,6 @@ QT6SVG_SITE = $(QT6_SITE) QT6SVG_SOURCE = qtsvg-$(QT6_SOURCE_TARBALL_PREFIX)-$(QT6SVG_VERSION).tar.xz QT6SVG_INSTALL_STAGING = YES QT6SVG_SUPPORTS_IN_SOURCE_BUILD = NO -# 0001-QSvgFont-Initialize-used-member-remove-unused.patch -QT6SVG_IGNORE_CVES += CVE-2023-32573 QT6SVG_CMAKE_BACKEND = ninja