From 141c1e8a238e2e9de3f305a658b6b77b3a6db322 Mon Sep 17 00:00:00 2001
From: Alex Pyrgiotis <alex.p@freedom.press>
Date: Tue, 6 Aug 2024 20:18:06 +0300
Subject: [PATCH] Ignore CVE-2024-5175 from our security scans

Ignore CVE-2024-5175 from our security scans, because Dangerzone is not
affected by it. Our assessment follows:

The affected library, `libaom.so`, is linked by GStreamer's
`libgstaom.so` library. The vulnerable `aom_img_alloc` function is only
used when **encoding** a video to AV1. LibreOffce uses the **decode**
path instead, when generating thumbnails.

Closes #895
---
 .grype.yaml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.grype.yaml b/.grype.yaml
index 3f82c8b..4f0040d 100644
--- a/.grype.yaml
+++ b/.grype.yaml
@@ -43,3 +43,16 @@ ignore:
   #      > typically be under attacker control making active exploitation
   #      > unlikely.
   - vulnerability: CVE-2024-5535
+  # CVE-2024-5171
+  # =============
+  #
+  # NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-5171
+  # Verdict: Dangerzone is not affected. The rationale is the following:
+  #
+  # The affected library, `libaom.so`, is linked by GStreamer's `libgstaom.so`
+  # library. The vulnerable `aom_img_alloc` function is only used when
+  # **encoding** a video to AV1. LibreOffce uses the **decode** path instead,
+  # when generating thumbnails.
+  #
+  # See also: https://github.com/freedomofpress/dangerzone/issues/895
+  - vulnerability: CVE-2024-5171