]> git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/commit
projects / thirdparty / openembedded / openembedded-core-contrib.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1af0eda) | patch
libarchive: ignore CVE-2023-30571
authorPeter Marko <peter.marko@siemens.com>
Sat, 29 Jul 2023 18:21:48 +0000 (20:21 +0200)
committerRichard Purdie <richard.purdie@linuxfoundation.org>
Sun, 30 Jul 2023 11:00:13 +0000 (12:00 +0100)
commit9b5b850d6a6982bb8ff14dcfbb6769b293638293
tree202f362d933ce177b472c6110bf4d9a3ff74cf68tree
parent1af0edaa83934d67ff554be591968fc8cea42e4ecommit | diff
libarchive: ignore CVE-2023-30571

This issue was reported and discusses under [1] which is linked in NVD CVE report.
It was already documented that some parts or libarchive are thread safe and some not.
[2] was now merged to document that also reported function is not thread safe.
So this CVE *now* reports thread race condition for non-thread-safe function.
And as such the CVE report is now invalid.

The issue is still not closed for 2 reasons:
* better document what is and what is not thread safe
* request to public if someone could make these functions thread safe
This should however not invalidate above statment about ignoring this CVE.

[1] https://github.com/libarchive/libarchive/issues/1876
[2] https://github.com/libarchive/libarchive/pull/1875

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
meta/recipes-extended/libarchive/libarchive_3.6.2.bb diff | blob | blame | history
Mirror of git://git.openembedded.org/openembedded-core-contrib