On Fri, 2021-01-15 at 12:47 +0200, Mikko Rapeli wrote: > It affects only cairo embedded into Firefox. > > https://security-tracker.debian.org/tracker/CVE-2013-0800 > > "The description is misleading: Firefox embeds a copy of Cairo, the interdiff > shows the respective change at > mozilla-esr17/gfx/cairo/cairo/src/cairo-image-surface.c > Apparently the forked copy has changed, the code isn't present in vanilla > Cairo" > > Signed-off-by: Mikko Rapeli <[email protected]> > --- > meta/recipes-graphics/cairo/cairo_1.16.0.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-graphics/cairo/cairo_1.16.0.bb > b/meta/recipes-graphics/cairo/cairo_1.16.0.bb > index 8663dec404..29088ab0d6 100644 > --- a/meta/recipes-graphics/cairo/cairo_1.16.0.bb > +++ b/meta/recipes-graphics/cairo/cairo_1.16.0.bb > @@ -29,6 +29,9 @@ SRC_URI = > "http://cairographics.org/releases/cairo-${PV}.tar.xz \ > file://CVE-2019-6462.patch \ > " > > > > > +# Affects only embedded cairo in Firefox > +CVE_CHECK_WHITELIST += "CVE-2013-0800" > +
That sounds a lot like we should send a CPE change upstream to classify it as firefox rather than cairo? Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#146738): https://lists.openembedded.org/g/openembedded-core/message/146738 Mute This Topic: https://lists.openembedded.org/mt/79698844/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
