git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit

author	Peter Marko <peter.marko@siemens.com>
	Sat, 29 Jul 2023 18:23:19 +0000 (20:23 +0200)
committer	Steve Sakoman <steve@sakoman.com>
	Fri, 4 Aug 2023 15:44:24 +0000 (05:44 -1000)
commit	9374e680ae2376589a9bfe4565dfcf4dc9791aa8
tree	5f63ffcf9ab4af14088c97385dd6bde43f050245	tree
parent	07e03175de91739064ae5530b3df093b4d05510b	commit \| diff

libarchive: ignore CVE-2023-30571

This issue was reported and discusses under [1] which is linked in NVD CVE report.
It was already documented that some parts or libarchive are thread safe and some not.
[2] was now merged to document that also reported function is not thread safe.
So this CVE *now* reports thread race condition for non-thread-safe function.
And as such the CVE report is now invalid.

The issue is still not closed for 2 reasons:
* better document what is and what is not thread safe
* request to public if someone could make these functions thread safe
This should however not invalidate above statment about ignoring this CVE.

[1] https://github.com/libarchive/libarchive/issues/1876
[2] https://github.com/libarchive/libarchive/pull/1875

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>