From: Ross Burton <ross.burton@arm.com>
Date: Mon, 20 Apr 2026 19:07:47 +0000 (+0100)
Subject: xz: mark several CVEs as fixed
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cb3cfe2fa632eb81c09ca91d5d2e8c2bc218c19c;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git

xz: mark several CVEs as fixed

- CVE-2024-47611 was fixed in 5.6.3 and is Windows-specific.
- CVE-2025-31115 was fixed in 5.8.1.
- CVE-2025-58058 is specific to the Go xz module, not this recipe.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/recipes-extended/xz/xz_5.8.2.bb b/meta/recipes-extended/xz/xz_5.8.2.bb
index 982f5054c3a..7ada44d9f58 100644
--- a/meta/recipes-extended/xz/xz_5.8.2.bb
+++ b/meta/recipes-extended/xz/xz_5.8.2.bb
@@ -72,3 +72,7 @@ do_install_ptest () {
     ln -s ${bindir}/xzdiff ${D}${PTEST_PATH}/src/scripts/xzdiff
     ln -s ${bindir}/xzgrep ${D}${PTEST_PATH}/src/scripts/xzgrep
 }
+
+CVE_STATUS[CVE-2024-47611] = "fixed-version: fixed in 5.6.3 and Windows-specific"
+CVE_STATUS[CVE-2025-31115] = "fixed-version: fixed in 5.8.1"
+CVE_STATUS[CVE-2025-58058] = "cpe-incorrect: this is specific to the Go xz module"