From 3a97af18b149965e4c574f548d1425abf0f15e23 Mon Sep 17 00:00:00 2001
From: Peter Marko <peter.marko@siemens.com>
Date: Thu, 20 Feb 2025 19:34:15 +0100
Subject: [PATCH] ffmpeg: ignore 5 CVEs

There is no release which is vulnerable to these CVEs.
These vulnerabilities are in new features being developed and were fixed
before release.

NVD most likely does not accept CVE rejection from a non-maintainer and
non-reporter, so ignoring this CVE should be acceptable solution.

(From OE-Core rev: 220a05e27913bf838881c3f22a17d0409c5154a9)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index b5b11496f4..bded23bc35 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -57,6 +57,24 @@ SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a
 # https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-39018
 CVE_CHECK_IGNORE += "CVE-2023-39018"
 
+# There is no release which is vulnerable to these CVEs
+# These vulnerabilities are in new features being developed and fixed before releasing them
+# feature (jpeg xl): https://github.com/FFmpeg/FFmpeg/commit/0c0dd23fe1102313742092c4760596971755814e
+# bugfix: https://github.com/FFmpeg/FFmpeg/commit/bf814387f42e9b0dea9d75c03db4723c88e7d962
+CVE_CHECK_IGNORE += "CVE-2023-46407"
+# feature (evc parser): https://github.com/FFmpeg/FFmpeg/commit/34e4f18360c4ecb8e5979cab8f389478d8cd7819
+# bugfix: https://github.com/FFmpeg/FFmpeg/commit/4565747056a11356210ed8edcecb920105e40b60
+CVE_CHECK_IGNORE += "CVE-2023-47470"
+# feature (jpeg xl): https://github.com/FFmpeg/FFmpeg/commit/0c0dd23fe1102313742092c4760596971755814e
+# bugfix: https://github.com/FFmpeg/FFmpeg/commit/d2e8974699a9e35cc1a926bf74a972300d629cd5
+CVE_CHECK_IGNORE += "CVE-2024-22860"
+# feature (oqs audio decoder): https://github.com/FFmpeg/FFmpeg/commit/7ef9d31071021c05e6b792af3f25b7b9ceaa9258
+# bugfix: https://github.com/FFmpeg/FFmpeg/commit/87b8c1081959e45ffdcbabb3d53ac9882ef2b5ce
+CVE_CHECK_IGNORE += "CVE-2024-22861"
+# feature (jpeg xl): https://github.com/FFmpeg/FFmpeg/commit/0c0dd23fe1102313742092c4760596971755814e
+# bugfix: https://github.com/FFmpeg/FFmpeg/commit/ca09d8a0dcd82e3128e62463231296aaf63ae6f7
+CVE_CHECK_IGNORE += "CVE-2024-22862"
+
 # Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717
 ARM_INSTRUCTION_SET:armv4 = "arm"
 ARM_INSTRUCTION_SET:armv5 = "arm"