boot/grub2: ignore CVE-2024-1048

As explained in: https://security-tracker.debian.org/tracker/CVE-2024-1048 https://www.openwall.com/lists/oss-security/2024/02/06/3 CVE-2024-1048 is related to a tool called grub-set-bootflag which only exists in the Redhat fork of Grub, and which we don't use in Buildroot, so this CVE should be ignored. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 2495630383c4a6659b6b91a58e4f71cdda283f2f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-08-21 15:09:49 +02:00 · 2024-08-21 15:09:49 +02:00 · 5aec55c983
commit 5aec55c983
parent ed80615cf4
1 changed files with 3 additions and 0 deletions
--- a/boot/grub2/grub2.mk
+++ b/boot/grub2/grub2.mk
@ -25,6 +25,9 @@ GRUB2_IGNORE_CVES += CVE-2019-14865
 GRUB2_IGNORE_CVES += CVE-2020-15705
 # vulnerability is specific to the SUSE distribution
 GRUB2_IGNORE_CVES += CVE-2021-46705
+# vulnerability is specific to the Redhat distribution, affects the
+# grub2-set-bootflag tool, which doesn't exist upstream
+GRUB2_IGNORE_CVES += CVE-2024-1048

 ifeq ($(BR2_TARGET_GRUB2_INSTALL_TOOLS),y)
 GRUB2_INSTALL_TARGET = YES