git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit

author	Peter Marko <peter.marko@siemens.com>
	Sat, 29 Jul 2023 18:22:35 +0000 (20:22 +0200)
committer	Steve Sakoman <steve@sakoman.com>
	Mon, 31 Jul 2023 18:15:06 +0000 (08:15 -1000)
commit	d5e7971e12cdc8748be91b4e6408b42fa86b2f15
tree	21dfac8ce31105a203dcd9ceb139b3e41299eb03	tree \| snapshot
parent	410cdbc70cfba709ec5bef508e772f52514ba28a	commit \| diff

libarchive: ignore CVE-2023-30571

This issue was reported and discusses under [1] which is linked in NVD CVE report.
It was already documented that some parts or libarchive are thread safe and some not.
[2] was now merged to document that also reported function is not thread safe.
So this CVE *now* reports thread race condition for non-thread-safe function.
And as such the CVE report is now invalid.

The issue is still not closed for 2 reasons:
* better document what is and what is not thread safe
* request to public if someone could make these functions thread safe
This should however not invalidate above statment about ignoring this CVE.

[1] https://github.com/libarchive/libarchive/issues/1876
[2] https://github.com/libarchive/libarchive/pull/1875

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>