[Buildroot] [git commit branch/2023.05.x] package/heirloom-mailx: fix comment about ignore CVE-2014-7844

Peter Korsgaard peter at korsgaard.com
Thu Sep 14 08:17:44 UTC 2023 

commit: https://git.buildroot.net/buildroot/commit/?id=3baed49fb66f77086406becb1e86cb4206c9d7d5
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2023.05.x

In commit
15972770cf34ed0b0ba330e3cc42c04f1c80c3c8 ("package/heirloom-mailx:
security bump to version 12.5-5 from Debian"), we added CVE-2014-7844
in HEIRLOOM_MAILX_IGNORE_CVES, but with the wrong comment about it: it
is a different patch in the Debian stack of patches that fixes
it. Indeed the description of patch
0011-outof-Introduce-expandaddr-flag.patch is:

=====================================================================
Subject: [PATCH 1/4] outof: Introduce expandaddr flag

Document that address expansion is disabled unless the expandaddr
binary option is set.

This has been assigned CVE-2014-7844 for BSD mailx, but it is not
a vulnerability in Heirloom mailx because this feature was documented.
=====================================================================

See also https://marc.info/?l=oss-security&m=141875285203183&w=2 for
details.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout at mind.be>
(cherry picked from commit 94716fdb481247e962aa646ee1a95852d03db700)
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
 package/heirloom-mailx/heirloom-mailx.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/heirloom-mailx/heirloom-mailx.mk b/package/heirloom-mailx/heirloom-mailx.mk
index d3b8ad437a..bb2e1f48de 100644
--- a/package/heirloom-mailx/heirloom-mailx.mk
+++ b/package/heirloom-mailx/heirloom-mailx.mk
@@ -12,7 +12,7 @@ HEIRLOOM_MAILX_LICENSE = BSD-4-Clause, Bellcore (base64), OpenVision (imap_gssap
 HEIRLOOM_MAILX_LICENSE_FILES = COPYING
 HEIRLOOM_MAILX_CPE_ID_VENDOR = heirloom
 HEIRLOOM_MAILX_CPE_ID_PRODUCT = mailx
-# 0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch in the Debian patches
+# 0011-outof-Introduce-expandaddr-flag.patch in the Debian patches
 HEIRLOOM_MAILX_IGNORE_CVES += CVE-2014-7844
 
 ifeq ($(BR2_PACKAGE_OPENSSL),y)

More information about the buildroot mailing list