[dunfell 05/11] git: Ignore CVE-2022-24975


Steve Sakoman
 

From: Richard Purdie <richard.purdie@...>

Everyone I've talked to doesn't see this as a major issue. The CVE
asks for a documentation improvement on the --mirror option to
git clone as deleted content could be leaked into a mirror. For OE's
general users/use cases, we wouldn't build or ship docs so this wouldn't
affect us.

Signed-off-by: Richard Purdie <richard.purdie@...>
(cherry picked from commit 5dfe2dd5482c9a446f8e722fe51903d205e6770d)
Signed-off-by: Steve Sakoman <steve@...>
---
meta/recipes-devtools/git/git.inc | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc
index a89dd42e8b..ffbae145cf 100644
--- a/meta/recipes-devtools/git/git.inc
+++ b/meta/recipes-devtools/git/git.inc
@@ -20,6 +20,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7c0d7ef03a7eb04ce795b0f60e68e7e1"

CVE_PRODUCT = "git-scm:git"

+# This is about a manpage not mentioning --mirror may "leak" information
+# in mirrored git repos. Most OE users wouldn't build the docs and
+# we don't see this as a major issue for our general users/usecases.
+CVE_CHECK_IGNORE += "CVE-2022-24975"
+
PACKAGECONFIG ??= ""
PACKAGECONFIG[cvsserver] = ""
PACKAGECONFIG[svn] = ""
--
2.25.1

Join openembedded-core@lists.openembedded.org to automatically receive all group messages.