[Buildroot] [PATCH 1/2] package/tiff: ignore CVE-2025-8851
Thomas Perale
thomas.perale at mind.be
Fri Sep 26 16:32:38 UTC 2025
The CVE-2025-8851 [1] has been fixed in upstream commit [2] that is part
of the v4.7.0 release.
Because the NVD reference includes the version '<2024-08-11' most of CVE
checker will fail to compare it against 4.7.0 and report it as a
positive.
[1] https://nvd.nist.gov//vuln/detail/CVE-2025-8851
[2] https://gitlab.com/libtiff/libtiff/-/commit/8a7a48d7a645992ca83062b3a1873c951661e2b3
Signed-off-by: Thomas Perale <thomas.perale at mind.be>
---
package/tiff/tiff.mk | 3 +++
1 file changed, 3 insertions(+)
diff --git a/package/tiff/tiff.mk b/package/tiff/tiff.mk
index 3d426fad4d..dd23c2bd43 100644
--- a/package/tiff/tiff.mk
+++ b/package/tiff/tiff.mk
@@ -19,6 +19,9 @@ TIFF_IGNORE_CVES += CVE-2025-8176
# 0004-fix-for-thumbnail-issue.patch
TIFF_IGNORE_CVES += CVE-2025-8177
+# Fixed in 4.7.0
+TIFF_IGNORE_CVES += CVE-2025-8851
+
# webp has a (optional) dependency on tiff, so we can't have webp
# support in tiff, or that would create a circular dependency.
TIFF_CONF_OPTS = \
--
2.51.0
More information about the buildroot
mailing list