From 348ce728af1cea4f909de5c3597801b5612719e4 Mon Sep 17 00:00:00 2001 From: Daniel Turull Date: Tue, 19 Aug 2025 12:47:24 +0200 Subject: [PATCH] libxml2: ignore CVE-2025-8732 The code maintainer disputes the CVE as the issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. The issue triggers a crash if an invalid file is provided. Source: https://gitlab.gnome.org/GNOME/libxml2/-/issues/958" Signed-off-by: Daniel Turull Signed-off-by: Steve Sakoman --- meta/recipes-core/libxml/libxml2_2.12.10.bb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb index 078988286a..a155c3708e 100644 --- a/meta/recipes-core/libxml/libxml2_2.12.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb @@ -32,6 +32,10 @@ SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be47223 # Disputed as a security issue, but fixed in d39f780 CVE_STATUS[CVE-2023-45322] = "disputed: issue requires memory allocation to fail" +# Disputed as a security issue, if attempts to process an invalid file, it fails +# https://gitlab.gnome.org/GNOME/libxml2/-/issues/958 +CVE_STATUS[CVE-2025-8732] = "disputed: the code maintainer explains, that the issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. The issue triggers a crash if an invalid file is provided. https://gitlab.gnome.org/GNOME/libxml2/-/issues/958" + BINCONFIG = "${bindir}/xml2-config" PACKAGECONFIG ??= "python \ -- 2.47.3