From: Peter Marko <peter.marko@siemens.com>
Date: Tue, 14 Oct 2025 21:34:23 +0000 (+0200)
Subject: gnupg: mark CVE-2025-30258 as patched
X-Git-Tag: 2024-04.14-scarthgap~81
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=88fe1eaa4bcd7c838902d8cdc067276c5f32624d;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git

gnupg: mark CVE-2025-30258 as patched

Per NVD report [1] this CVE is fixed by [2].
This commit was backported to 2.4.8 via [3].

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-30258
[2] https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158
[3] https://gitlab.com/freepg/gnupg/-/commit/da0164efc7f32013bc24d97b9afa9f8d67c318bb

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---

diff --git a/meta/recipes-support/gnupg/gnupg_2.4.8.bb b/meta/recipes-support/gnupg/gnupg_2.4.8.bb
index 9c5de263c5..a6e777abf8 100644
--- a/meta/recipes-support/gnupg/gnupg_2.4.8.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.4.8.bb
@@ -82,3 +82,4 @@ BBCLASSEXTEND = "native nativesdk"
 lcl_maybe_fortify:mipsarch = ""
 
 CVE_STATUS[CVE-2022-3219] = "upstream-wontfix: Upstream doesn't seem to be keen on merging the proposed commit - https://dev.gnupg.org/T5993"
+CVE_STATUS[CVE-2025-30258] = "cpe-stable-backport: fir for this CVE was backported to version 2.4.8"