sox: mark CVEs included in hash update as fixed

git log sox-14.4.2..HEAD | grep -o 'CVE-[0-9-]*' | sort -u CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370 CVE-2017-15371 CVE-2017-15372 CVE-2017-15642 CVE-2017-18189 CVE-2019-13590 CVE-2019-8354 CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 Following remaining CVEs are handled in commits: CVE-2019-1010004 - NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-1010004 - report: https://sourceforge.net/p/sox/bugs/299/ - patch: https://sourceforge.net/p/sox/code/ci/09d7388c8ad5701ed9c59d1d600ff6154b066397/ - same commit as CVE-2017-18189 as mentioned in NVD and bugreport texts - https://security-tracker.debian.org/tracker/CVE-2019-1010004 links it - it's only commit in src/xa.c in last 15 years Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2026-06-05 02:50:46 +00:00 · 2025-03-16 23:53:50 +01:00
parent 0ae4736226
commit afb0d8d2c6
1 changed files with 8 additions and 0 deletions
@@ -38,6 +38,14 @@ S = "${WORKDIR}/git"

 CVE_PRODUCT:append = " libsox_project:libsox sound_exchange_project:sound_exchange"

+CVE_STATUS_GROUPS += "CVE_STATUS_HASH_UPDATE"
+CVE_STATUS_HASH_UPDATE = " \
+    CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370 CVE-2017-15371 \
+    CVE-2017-15372 CVE-2017-15642 CVE-2017-18189 CVE-2019-13590 CVE-2019-8354 \
+    CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 CVE-2019-1010004 \
+"
+CVE_STATUS_HASH_UPDATE[status] = "fixed-version: patched in current git hash"
+
 inherit autotools pkgconfig

 # Enable largefile support