From 3c88e7efaa06fb442320ed8b0187615b6651561c Mon Sep 17 00:00:00 2001 From: Thomas Perale Date: Tue, 30 Dec 2025 09:19:12 +0100 Subject: [PATCH] boot/grub2: remove stale IGNORE_CVES Since Buildroot commit [1] the CVEs are no longer matched to CPEs with versions using '-'. The IGNORE_CVES entries introduced in [2][3][4] are then no longer matched to the grub2 package. For more information, see the explanation in commit [1]. [1] 35f376d88e support/scripts/cve.py: fix CPE matching [2] 2495630383 boot/grub2: ignore CVE-2024-1048 [3] e2f46ed03d boot/grub2: ignore CVE-2023-4001 [4] a490687571 boot/grub2: ignore the last 3 remaining CVEs Signed-off-by: Thomas Perale Signed-off-by: Thomas Petazzoni (cherry picked from commit 2a2184f317faa41049cba4095fde42e87628091e) Signed-off-by: Thomas Perale --- boot/grub2/grub2.mk | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/boot/grub2/grub2.mk b/boot/grub2/grub2.mk index aa66e48790..5de2afcc32 100644 --- a/boot/grub2/grub2.mk +++ b/boot/grub2/grub2.mk @@ -15,17 +15,6 @@ HOST_GRUB2_DEPENDENCIES = host-bison host-flex host-gawk \ $(BR2_PYTHON3_HOST_DEPENDENCY) GRUB2_INSTALL_IMAGES = YES -# CVE-2019-14865 is about a flaw in the grub2-set-bootflag tool, which -# doesn't exist upstream, but is added by the Redhat/Fedora -# packaging. Not applicable to Buildroot. -GRUB2_IGNORE_CVES += CVE-2019-14865 -# vulnerability is specific to the Redhat distribution, affects a -# downstream change from Redhat related to password authentication -GRUB2_IGNORE_CVES += CVE-2023-4001 -# vulnerability is specific to the Redhat distribution, affects the -# grub2-set-bootflag tool, which doesn't exist upstream -GRUB2_IGNORE_CVES += CVE-2024-1048 - # 0004-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch (yes, two # CVEs are fixed by this patch) GRUB2_IGNORE_CVES += CVE-2024-45782