[OE-core] [PATCH 1/3] readline: Security Advisory - readline - CVE-2014-2524
Burton, Ross
ross.burton at intel.com
Tue Oct 6 10:06:26 UTC 2015
On 6 October 2015 at 09:11, Petter Mabäcker <petter at technux.se> wrote:
> I played around with the new meta-security-isafw layer and the
> cve-check-tool. In readline the cve CVE-2014-2524 is marked as 'missing' by
> the framework and I was confused to start with, since I saw that this
> commit was included. But after looking at the actual patch I realized that
> it only contains a report and not the patch itself. My question is if that
> is with purpose and due to some decision that the CVE isn't really causing
> any harm or if it's by mistake?
>
>
As can be seen at
http://lists.gnu.org/archive/html/bug-readline/2014-03/msg00057.html the
CVE patch is simply adding a #if defined (DEBUG), which is in the patch
included in oe-core master as readline-6.3/readline63-003.
The tool is probably reporting it as missing as -- if i recall correctly --
it identifies CVE patches by filename.
Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20151006/e8b14d2a/attachment-0002.html>
More information about the Openembedded-core
mailing list