In commit
a9aa11544a ("package/qt6/qt6svg:
backport fix for CVE-2023-32573"), a fix for security issue
CVE-2023-32573 was added to qt6svg, with the appropriate
QT6SVG_IGNORE_CVES entry.
However, all CVEs against Qt are reported by the NVD on the qt:qt
vendor/product CPE. For example:
https://nvd.nist.gov/vuln/detail/CVE-2023-32573
Therefore, the QT6SVG_IGNORE_CVES entry added has no effect, and
CVE-2023-32573 continues to be reported against our qt6base package.
The only reasonable option is to collect all such CVE ignore entries
for Qt modules into the qt6base package, which is the one that matches
with the qt:qt CPE identifier. This commit does just that, with an
hopefully appropriate comment in qt6base.mk that explains what's going
on.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
498406cfdb