Projetos/rpi-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs/manual: mention CVE trailer

Browse Source 
Adds documentation about adding a patch that address a vulnerability.

The patch-policy file now explain mention that patches that address a
vulnerability needs to include a `CVE:` trailer with the reference of
that vulnerability.

Until now only adding the reference to the `_IGNORE_CVES` variable was
necessary, so the documentation of this entry is modified as well to
point to the patch policy.

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1167d0ff3d225ca9ce2b6299da28a9307d370142)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This commit is contained in:
Thomas Perale
2025-10-30 20:09:36 +01:00
parent 95c0e5ca95
commit 096589bd59
2 changed files with 15 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/manual/adding-packages-generic.adoc
View File

@@ -509,9 +509,9 @@ not and can not work as people would expect it should:
* +LIBFOO_IGNORE_CVES+ is a space-separated list of CVEs that tells * +LIBFOO_IGNORE_CVES+ is a space-separated list of CVEs that tells
Buildroot CVE tracking tools which CVEs should be ignored for this Buildroot CVE tracking tools which CVEs should be ignored for this
package. This is typically used when the CVE is fixed by a patch in package. This is typically used when the CVE is fixed by a patch in
the package, or when the CVE for some reason does not affect the the package (see xref:additional-patch-documentation[]), or when the CVE for
Buildroot package. A Makefile comment must always precede the some reason does not affect the Buildroot package. A Makefile comment must
addition of a CVE to this variable. Example: always precede the addition of a CVE to this variable. Example:
+ +
---- ----
# 0001-fix-cve-2020-12345.patch # 0001-fix-cve-2020-12345.patch

11
docs/manual/patch-policy.adoc
View File

@@ -144,6 +144,7 @@ AC_PROG_MAKE_SET
+AM_CONDITIONAL([CXX_WORKS], [test "x$rw_cv_prog_cxx_works" = "xyes"]) +AM_CONDITIONAL([CXX_WORKS], [test "x$rw_cv_prog_cxx_works" = "xyes"])
---- ----
[[additional-patch-documentation]]
=== Additional patch documentation === Additional patch documentation
Ideally, all patches should document an upstream patch or patch submission, when Ideally, all patches should document an upstream patch or patch submission, when
@@ -178,3 +179,13 @@ Upstream: N/A <additional information about why patch is Buildroot specific>
Adding this documentation helps streamline the patch review process during Adding this documentation helps streamline the patch review process during
package version updates. package version updates.
If the patch addresses one or multiple vulnerabilities, list each identifier on
a separate line with a +CVE+ trailer.
----
CVE: <vulnerability identifier>
----
If multiple patches address the same vulnerability, reference the vulnerability
in every patch.