vorbis-tools: patch CVE-2023-43361 - linux/meta-openembedded.git - Mirror of git.openembedded.org/meta-openembedded

diff options

author	Peter Marko <peter.marko@siemens.com>	2025-01-17 19:26:43 +0100
committer	Armin Kuster <akuster808@gmail.com>	2025-02-04 14:29:37 -0800
commit	c7d64c705976024bdb537a2cec33c9223777c0d8 (patch)
tree	1805b4248d17e666c5bee09e18e810f402ff4b39 /meta-python/recipes-devtools/python/python3-h5py/0001-setup_build.py-avoid-absolute-path.patch
parent	23bd451257676e1eed3c78c8d837ce54f0332f7f (diff)
download	meta-openembedded-c7d64c705976024bdb537a2cec33c9223777c0d8.tar.gz

vorbis-tools: patch CVE-2023-43361

This is inactive project, so no official CVE fix will be available anymore. That however does not mean that there is no fix available. Following tries to prove that patch provided here is valid. NVD CVE report [1] links issue [2] where this is reported. Based on the report, fix was proposed in [3]. There was some review however the patch autor was not active. [4] was later created trying to adddress the comments, but the project was not active anymore. In this PR the patch was shrunk to a one-liner in discussion. I have tested the poc and it is real. The patch fixes it, while not breaking the execution if good file path is provided as argument. [1] https://nvd.nist.gov/vuln/detail/CVE-2023-43361 [2] https://github.com/xiph/vorbis-tools/issues/41 [3] https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/7 [4] https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/8 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 67d94fecb0dbd4f979b09a439c614ee4f01fc0c2) Signed-off-by: Armin Kuster <akuster808@gmail.com>

Diffstat (limited to 'meta-python/recipes-devtools/python/python3-h5py/0001-setup_build.py-avoid-absolute-path.patch')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: