[Buildroot] [git commit] package/mupdf: add CVE-2024-2425{8, 9} to IGNORE_CVES

[Thomas Petazzoni]

commit: https://git.buildroot.net/buildroot/commit/?id=a8e7e6c85289f0eee1b2bf13da2c83dbfb07ef65
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master

Buildroot commit [1] removed the IGNORE_CVES entries for
CVE-2024-24258 & CVE-2024-24259 because they referenced a patches no
longer existing.

Those IGNORE_CVES entries are still required because the CVEs reference
the exact mupdf version Buildroot is using.

Re-introduce those IGNORE_CVES entries with an updated comment instead.

[1] f2e442a14d package/mupdf: remove stale IGNORE_CVES

Signed-off-by: Thomas Perale <thomas.perale at mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
---
 package/mupdf/mupdf.mk | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/package/mupdf/mupdf.mk b/package/mupdf/mupdf.mk
index 9eecb84232..57501ab954 100644
--- a/package/mupdf/mupdf.mk
+++ b/package/mupdf/mupdf.mk
@@ -21,6 +21,12 @@ MUPDF_DEPENDENCIES = \
 	lcms2 openjpeg \
 	zlib
 
+# Fix is in libfreeglut, but CVE applied to mupdf 1.23.9.
+# Buildroot libfreeglut is >3.4.0 then is not affected.
+MUPDF_IGNORE_CVES = \
+	CVE-2024-24258 \
+	CVE-2024-24259
+
 # mupdf doesn't use CFLAGS and LIBS but XCFLAGS and XLIBS instead.
 # with USE_SYSTEM_LIBS it will try to use system libraries instead of the bundled ones.
 MUPDF_MAKE_ENV = $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \