From cb3cfe2fa632eb81c09ca91d5d2e8c2bc218c19c Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@arm.com>
Date: Mon, 20 Apr 2026 20:07:47 +0100
Subject: [PATCH] xz: mark several CVEs as fixed

- CVE-2024-47611 was fixed in 5.6.3 and is Windows-specific.
- CVE-2025-31115 was fixed in 5.8.1.
- CVE-2025-58058 is specific to the Go xz module, not this recipe.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-extended/xz/xz_5.8.2.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-extended/xz/xz_5.8.2.bb b/meta/recipes-extended/xz/xz_5.8.2.bb
index 982f5054c3..7ada44d9f5 100644
--- a/meta/recipes-extended/xz/xz_5.8.2.bb
+++ b/meta/recipes-extended/xz/xz_5.8.2.bb
@@ -72,3 +72,7 @@ do_install_ptest () {
     ln -s ${bindir}/xzdiff ${D}${PTEST_PATH}/src/scripts/xzdiff
     ln -s ${bindir}/xzgrep ${D}${PTEST_PATH}/src/scripts/xzgrep
 }
+
+CVE_STATUS[CVE-2024-47611] = "fixed-version: fixed in 5.6.3 and Windows-specific"
+CVE_STATUS[CVE-2025-31115] = "fixed-version: fixed in 5.8.1"
+CVE_STATUS[CVE-2025-58058] = "cpe-incorrect: this is specific to the Go xz module"
-- 
2.47.3