Add "CVE:" tag to current patches in OE-core

The currnet patches in OE-core doesn't have the "CVE:" tag, now part of the policy of the patches. This is patch add this tag to several patches. There might be patches that I miss; the tag can be added in the future. (From OE-Core rev: 065ebeb3e15311d0d45385e15bf557b1c95b1669) Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-05-07 16:59:22 +00:00 · 2016-01-08 12:03:58 +00:00
parent f04fb8806c
commit e5c011b041
36 changed files with 36 additions and 1 deletions
@@ -1,4 +1,5 @@
 Upstream-Status: Accepted
+CVE: CVE-2015-8370
 Signed-off-by: Awais Belal <awais_belal@mentor.com>

 From 451d80e52d851432e109771bb8febafca7a5f1f2 Mon Sep 17 00:00:00 2001
@@ -3,6 +3,7 @@ ppp: Buffer overflow in radius plugin
 From: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;bug=782450

 Upstream-Status: Backport
+CVE: CVE-2015-3310

 On systems with more than 65535 processes running, pppd aborts when
 sending a "start" accounting message to the RADIUS server because of a
@@ -4,6 +4,7 @@ Date: Fri, 6 Feb 2015 12:46:39 -0500
 Subject: [PATCH] libext2fs: fix potential buffer overflow in closefs()

 Upstream-Status: Backport
+CVE: CVE-2015-1572

 The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if
 s_first_meta_bg is too big" had a typo in the fix for
@@ -11,8 +11,8 @@ fs->desc_blocks.  This doesn't correct the bad s_first_meta_bg value,
 but it avoids causing the e2fsprogs userspace programs from
 potentially crashing.

-Fixes CVE-2015-0247
 Upstream-Status: Backport
+CVE: CVE-2015-0247

 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
@@ -7,6 +7,7 @@ this patch is from:
 https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e

 Upstream-Status: Backport
+CVE: CVE-2014-9447

 Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com>
 ---
@@ -4,6 +4,7 @@ Date: Wed, 10 Jun 2015 14:36:56 +0000
 Subject: [PATCH 2/2] rpm: CVE-2013-6435

 Upstream-Status: Backport
+CVE: CVE-2013-6435

 Reference:
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
@@ -4,6 +4,7 @@ Date: Wed, 10 Jun 2015 12:56:55 +0000
 Subject: [PATCH 1/2] rpm: CVE-2014-8118

 Upstream-Status: Backport
+CVE: CVE-2014-8118

 Reference:
 https://bugzilla.redhat.com/show_bug.cgi?id=1168715
@@ -1,4 +1,5 @@
 Upstream-Status: Backport [ The patch is rsync-2.6.9 specific ]
+CVE: CVE-2007-4091

 The patch is from https://issues.rpath.com/browse/RPL-1647 and is used to
 address http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4091
@@ -6,6 +6,7 @@ Subject: [PATCH] Complain if an inc-recursive path is not right for its dir.
 trasnfer path.

 Upstream-Status: BackPort
+CVE: CVE-2014-9512

 Fix the CVE-2014-9512, rsync 3.1.1 allows remote attackers to write to arbitrary
 files via a symlink attack on a file in the synchronization path.
@@ -5,6 +5,7 @@ Subject: [PATCH 1/1] Add compat flag to allow proper seed checksum order.
 Fixes the equivalent of librsync's CVE-2014-8242 issue.

 Upstream-Status: Backport
+CVE: CVE-2014-8242

 Signed-off-by: Roy Li <rongqing.li@windriver.com>
 ---
@@ -11,6 +11,7 @@ Author: Vitezslav Cizek <vcizek@suse.cz>
 Bug-Debian: https://bugs.debian.org/774669

 Upstream-Status: Pending
+CVE: CVE-2015-1197
 Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
 Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>

@@ -1,4 +1,5 @@
 Upstream-Status: Inappropriate [bugfix: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0624]
+CVE: CVE-2010-0624

 This patch avoids heap overflow reported by :
 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0624
@@ -10,6 +10,7 @@ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5667
 Upstream-Status: Inappropriate [other]
 This version of GNU Grep has been abandoned upstream and they are no longer
 accepting patches.  This is not a backport.
+CVE: CVE-2012-5667

 Signed-off-by Ming Liu <ming.liu@windriver.com>
 ---
@@ -6,6 +6,7 @@ Subject: [PATCH] Fix CVE-2013-0211
 This patch comes from:https://github.com/libarchive/libarchive/commit/22531545514043e04633e1c015c7540b9de9dbe4

 Upstream-Status: Backport
+CVE: CVE-2013-0211

 Signed-off-by: Baogen shang <baogen.shang@windriver.com>

@@ -7,6 +7,7 @@ This fixes a directory traversal in the cpio tool.


 Upstream-Status: backport
+CVE: CVE-2015-2304

 Signed-off-by: Li Zhou <li.zhou@windriver.com>
 ---
@@ -13,6 +13,7 @@ This patch is taken from
 ftp://ftp.debian.org/debian/pool/main/h/heirloom-mailx/heirloom-mailx_12.5-5.debian.tar.xz

 Upstream-Status: Inappropriate [upstream is dead]
+CVE: CVE-2014-7844
 ---
 mailx.1 | 14 ++++++++++++++
 names.c |  3 +++
@@ -7,6 +7,7 @@ This patch is taken from
 ftp://ftp.debian.org/debian/pool/main/h/heirloom-mailx/heirloom-mailx_12.5-5.debian.tar.xz

 Upstream-Status: Inappropriate [upstream is dead]
+CVE: CVE-2004-2771
 ---
 fio.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
@@ -36,6 +36,7 @@ Date:   Thu Aug 6 16:27:20 2015 +0200
    Signed-off-by: Olaf Kirch <okir@...e.de>

    Upstream-Status: Backport
+    CVE: CVE-2015-7236

    Signed-off-by: Li Zhou <li.zhou@windriver.com>
 ---
@@ -10,6 +10,7 @@ This is time consuming and will overflow stack if n is huge.
 Fixes CVE-2015-6806

 Upstream-Status: Backport
+CVE: CVE-2015-6806

 Signed-off-by: Kuang-che Wu <kcwu@csie.org>
 Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
@@ -1,4 +1,5 @@
 Upstream-Status: Inappropriate [bugfix: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0624]
+CVE: CVE-2010-0624

 This patch avoids heap overflow reported by :
 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0624
@@ -3,6 +3,7 @@ Subject: unzip files encoded with non-latin, non-unicode file names
 Last-Update: 2015-02-11

 Upstream-Status: Backport
+CVE: CVE-2015-1315

 Updated 2015-02-11 by Marc Deslauriers <marc.deslauriers@canonical.com>
 to fix buffer overflow in charset_to_intern()
@@ -5,6 +5,7 @@ Bug-Debian: http://bugs.debian.org/773722
 The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz

 Upstream-Status: Backport
+CVE: CVE-2014-8139

 Signed-off-by: Roy Li <rongqing.li@windriver.com>

@@ -5,6 +5,7 @@ Bug-Debian: http://bugs.debian.org/773722
 The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz

 Upstream-Status: Backport
+CVE: CVE-2014-8140

 Signed-off-by: Roy Li <rongqing.li@windriver.com>

@@ -5,6 +5,7 @@ Bug-Debian: http://bugs.debian.org/773722
 The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz

 Upstream-Status: Backport
+CVE: CVE-2014-8141

 Signed-off-by: Roy Li <rongqing.li@windriver.com>

@@ -1,4 +1,5 @@
 Upstream-Status: Backport
+CVE: CVE-2015-7696
 Signed-off-by: Tudor Florea <tudor.flore@enea.com>

 From 68efed87fabddd450c08f3112f62a73f61d493c9 Mon Sep 17 00:00:00 2001
@@ -1,4 +1,5 @@
 Upstream-Status: Backport
+CVE: CVE-2015-7697
 Signed-off-by: Tudor Florea <tudor.flore@enea.com>

 From bd8a743ee0a77e65ad07ef4196c4cd366add3f26 Mon Sep 17 00:00:00 2001
@@ -4,6 +4,7 @@ Date: Wed, 11 Feb 2015
 Subject: Info-ZIP UnZip buffer overflow

 Upstream-Status: Backport
+CVE: CVE-2014-9636

 By carefully crafting a corrupt ZIP archive with "extra fields" that
 purport to have compressed blocks larger than the corresponding
@@ -9,6 +9,7 @@ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4342
 the patch come from:
 https://bugzilla.redhat.com/attachment.cgi?id=799732&action=diff

+CVE: CVE-2013-4342
 Signed-off-by: Li Wang <li.wang@windriver.com>
 ---
 xinetd/builtins.c |    2 +-
@@ -1,4 +1,5 @@
 Upstream-Status: Backport
+CVE: CVE-2014-9676

 Backport patch to fix CVE-2014-9676.

@@ -11,6 +11,7 @@ git://git.gnupg.org/libgcrypt.git
 exponents in secure memory.

 Upstream-Status: Backport
+CVE: CVE-2013-4242

 Signed-off-by: Kai Kang <kai.kang@windriver.com>
 --
@@ -1,4 +1,5 @@
 Upstream-Status: Backport
+CVE: CVE-2013-4351

 Index: gnupg-1.4.7/g10/getkey.c
 ===================================================================
@@ -1,4 +1,5 @@
 Upstream-Status: Backport
+CVE: CVE-2013-4576

 Index: gnupg-1.4.7/cipher/dsa.c
 ===================================================================
@@ -17,6 +17,7 @@ Date:   Thu Dec 20 09:43:41 2012 +0100
    (cherry-picked from commit f795a0d59e197455f8723c300eebf59e09853efa)

 Upstream-Status: Backport
+CVE: CVE-2012-6085

 Signed-off-by: Saul Wold <sgw@linux.intel.com>

@@ -8,6 +8,7 @@ We need to check that the parent node is an element before dereferencing
 its namespace

 Upstream-Status: Backport
+CVE: CVE-2015-7995

 https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617

@@ -10,6 +10,7 @@ The patch comes from
 https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2

 Upstream-Status: Backport
+CVE: CVE-2014-9130

 Signed-off-by: Yue Tao <yue.tao@windriver.com>

@@ -1,4 +1,5 @@
 Upstream-Status: Backport
+CVE: CVE-2012-2738
 Signed-off-by: Ross Burton <ross.burton@intel.com>

 From e524b0b3bd8fad844ffa73927c199545b892cdbd Mon Sep 17 00:00:00 2001