From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Date: Sat, 29 Feb 2020 09:46:09 +0000 (+0100)
Subject: package/boost: annotate _IGNORE_CVES for CVE-2009-3654
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=c8c5660a818c9a367e46d4188f5f87b2dfe74a71;p=buildroot.git

package/boost: annotate _IGNORE_CVES for CVE-2009-3654

This CVE does not affect the boost package, but is misclassified by our
CVS tracker. As per the advisory:

    Unspecified vulnerability in Boost before 6.x-1.03, a module for
    Drupal, allows remote attackers to create new webroot directories
    via unknown attack vectors.

Ignore the CVS, and expand a comment to explain it.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: expand the comment]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---

diff --git a/package/boost/boost.mk b/package/boost/boost.mk
index 322429a10c..2daf7f5a96 100644
--- a/package/boost/boost.mk
+++ b/package/boost/boost.mk
@@ -11,6 +11,10 @@ BOOST_INSTALL_STAGING = YES
 BOOST_LICENSE = BSL-1.0
 BOOST_LICENSE_FILES = LICENSE_1_0.txt
 
+# CVE-2009-3654 is misclassified (by our CVE tracker) as affecting to boost,
+# while in fact it affects Drupal (a module called boost in there).
+BOOST_IGNORE_CVES += CVE-2009-3654
+
 # keep host variant as minimal as possible
 HOST_BOOST_FLAGS = --without-icu --with-toolset=gcc \
 	--without-libraries=$(subst $(space),$(comma),atomic chrono context \