Recently NVD updated all CVEs for json-c and old fixed
CVE-2020-12762 is reported by cve_check now.
NVD match clause now includes full tag name including
date which is "greater" than tag without additional numbers.
Fix it by defining CVE_VERSION identical to full tag.
Put it close to hash so recipe update patch includes this line.
(From OE-Core rev: 55e9ff0fe1de70f226557529f73c28f34f6956ed)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This is a read past end of buffer issue in the json_parse test app,
which can happened with malformed json data. It's not an issue with the
library itself. For what ever reason this CVE has a base score of 9.8.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-32292
Upstream issue:
https://github.com/json-c/json-c/issues/654
The CVE is fixed with version 0.16 (which is already in all active
branches of poky).
(From OE-Core rev: a7b93651028b55d71b8db53ea831eee7fd539f33)
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
