[Buildroot] [PATCH 1/1] package/libopenh264: ignore CVE-2025-27091
Raphaël Mélotte
raphael.melotte at mind.be
Mon Apr 14 13:32:33 UTC 2025
Both openh264 2.6.0 and 2.5.1 contain the fix for this CVE (see the
release notes at [1]).
In other words the version we have is no longer vulnerable since
a7aeb5a46eaaf8a39560c8664593018cf253835a ("package/libopenh264:
security bump to version 2.5.1") but pkg-stats still reports it.
An email was sent to the NVD to fix the CPE version number, but in the
meantime let's ignore it to reduce the noise in our CVE checker.
[1]: https://github.com/cisco/openh264/releases/tag/2.5.1
Signed-off-by: Raphaël Mélotte <raphael.melotte at mind.be>
---
package/libopenh264/libopenh264.mk | 3 +++
1 file changed, 3 insertions(+)
diff --git a/package/libopenh264/libopenh264.mk b/package/libopenh264/libopenh264.mk
index f9a50e4c61..9ae996fee1 100644
--- a/package/libopenh264/libopenh264.mk
+++ b/package/libopenh264/libopenh264.mk
@@ -12,6 +12,9 @@ LIBOPENH264_CPE_ID_VENDOR = cisco
LIBOPENH264_CPE_ID_PRODUCT = openh264
LIBOPENH264_INSTALL_STAGING = YES
+# The following CVE is fixed in 2.5.1, the NVD CPE is not up to date
+LIBOPENH264_IGNORE_CVES += CVE-2025-27091
+
ifeq ($(BR2_aarch64),y)
LIBOPENH264_ARCH = aarch64
else ifeq ($(BR2_arm)$(BR2_armeb),y)
--
2.49.0
More information about the buildroot
mailing list