[Buildroot] [git commit] package/libopenh264: ignore CVE-2025-27091

[Peter Korsgaard]

commit: https://git.buildroot.net/buildroot/commit/?id=2488d97719535a00797bef01caad7f449954c725
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master

Both openh264 2.6.0 and 2.5.1 contain the fix for this CVE (see the
release notes at [1]).

In other words the version we have is no longer vulnerable since
a7aeb5a46eaaf8a39560c8664593018cf253835a ("package/libopenh264:
security bump to version 2.5.1") but pkg-stats still reports it.

An email was sent to the NVD to fix the CPE version number, but in the
meantime let's ignore it to reduce the noise in our CVE checker.

[1]: https://github.com/cisco/openh264/releases/tag/2.5.1

Signed-off-by: Raphaël Mélotte <raphael.melotte at mind.be>
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
 package/libopenh264/libopenh264.mk | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/package/libopenh264/libopenh264.mk b/package/libopenh264/libopenh264.mk
index f9a50e4c61..9ae996fee1 100644
--- a/package/libopenh264/libopenh264.mk
+++ b/package/libopenh264/libopenh264.mk
@@ -12,6 +12,9 @@ LIBOPENH264_CPE_ID_VENDOR = cisco
 LIBOPENH264_CPE_ID_PRODUCT = openh264
 LIBOPENH264_INSTALL_STAGING = YES
 
+# The following CVE is fixed in 2.5.1, the NVD CPE is not up to date
+LIBOPENH264_IGNORE_CVES += CVE-2025-27091
+
 ifeq ($(BR2_aarch64),y)
 LIBOPENH264_ARCH = aarch64
 else ifeq ($(BR2_arm)$(BR2_armeb),y)