> -----Original Message----- > From: [email protected] <openembedded- > [email protected]> On Behalf Of Yoann Congal via > lists.openembedded.org > Sent: Wednesday, March 18, 2026 14:42 > To: [email protected]; [email protected] > Subject: Re: [OE-core][scarthgap][PATCH 3/3] tiff: ignore CVE-2025-61143, CVE- > 2025-61144 and CVE-2025-61145 > > On Sat Mar 7, 2026 at 7:45 AM CET, Ankur Tyagi via lists.openembedded.org > wrote: > > From: Ankur Tyagi <[email protected]> > > > > These CVEs are for tools which were removed in v4.6.0[1] > > > > [1]https://gitlab.com/libtiff/libtiff/- > /commit/eab89a627f0a65e9a1a47c4b30b4802c80b1ac45 > > > > Details: > > https://nvd.nist.gov/vuln/detail/CVE-2025-61143 > > This CVE: "libtiff up to v4.7.1 was discovered to contain a NULL pointer > dereference via the component libtiff/tif_open.c." > > Despite tools being removed in the commit you mentionned > libtiff/tif_open.c was not touched and the patch linked by NVD apply to > files outside of "archive/" were the removed tools are... > > Are you sure we can ignore this CVE? > > FYI, Peter patched it on kirkstone: > [OE-core][kirkstone 07/17] tiff: patch CVE-2025-61143 - Yoann Congal > https://lore.kernel.org/openembedded- > core/944f481d214bebeaf51769d77fe16cd93cbff351.1773652940.git.yoann.congal > @smile.fr/ > > Regards,
If I remember correctly, the archived files are not included in release tarball. We're not fetching the git repository in our recipe. Peter > > > https://nvd.nist.gov/vuln/detail/CVE-2025-61144 > > https://nvd.nist.gov/vuln/detail/CVE-2025-61145 > > > > Signed-off-by: Ankur Tyagi <[email protected]> > > --- > > meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes- > multimedia/libtiff/tiff_4.6.0.bb > > index 777783d7cc..07540692fc 100644 > > --- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb > > +++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb > > @@ -29,7 +29,7 @@ CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested > with check from https://secur > > CVE_STATUS[CVE-2023-3164] = "cpe-incorrect: Issue only affects the tiffcrop > tool not compiled by default since 4.6.0" > > > > CVE_STATUS_GROUPS += "CVE_STATUS_REMOVED_TOOLS" > > -CVE_STATUS_REMOVED_TOOLS = "CVE-2024-13978 CVE-2025-8176 CVE- > 2025-8177 CVE-2025-8534 CVE-2025-8851 CVE-2025-8961" > > +CVE_STATUS_REMOVED_TOOLS = "CVE-2024-13978 CVE-2025-8176 CVE- > 2025-8177 CVE-2025-8534 CVE-2025-8851 CVE-2025-8961 CVE-2025-61143 CVE- > 2025-61144 CVE-2025-61145" > > CVE_STATUS_REMOVED_TOOLS[status] = "cpe-incorrect: tools affected by > these CVEs are not present in this release" > > > > inherit autotools multilib_header > > > -- > Yoann Congal > Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233404): https://lists.openembedded.org/g/openembedded-core/message/233404 Mute This Topic: https://lists.openembedded.org/mt/118185149/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
