From 2bd09e994f2a3f84154483136a6b66053e8de1ea Mon Sep 17 00:00:00 2001
From: Alex Pyrgiotis <alex.p@freedom.press>
Date: Mon, 9 Sep 2024 21:56:14 +0300
Subject: [PATCH] Ignore the recent libexpat CVEs

Ignore the recent libexpat CVEs, as they don't affect Dangerzone.

Closes #913
---
 .grype.yaml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/.grype.yaml b/.grype.yaml
index 2a35328..dab8358 100644
--- a/.grype.yaml
+++ b/.grype.yaml
@@ -16,3 +16,33 @@ ignore:
   #
   # See also: https://github.com/freedomofpress/dangerzone/issues/895
   - vulnerability: CVE-2024-5171
+
+  # CVE-2024-45491, CVE-2024-45492
+  # ===============================
+  #
+  # NVD Entries:
+  # * https://nvd.nist.gov/vuln/detail/CVE-2024-45491
+  # * https://nvd.nist.gov/vuln/detail/CVE-2024-45492
+  #
+  # Verdict: Dangerzone is not affected. The rationale is the following:
+  #
+  # The vulnerabilities that have been assigned to these CVEs affect only 32-bit
+  # architectures. Dangerzone ships only 64-bit images to users.
+  #
+  # See also: https://github.com/freedomofpress/dangerzone/issues/913
+  - vulnerability: CVE-2024-45491
+  - vulnerability: CVE-2024-45492
+
+  # CVE-2024-45490
+  # ==============
+  #
+  # NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-45490
+  # Verdict: Dangerzone is not affected. The rationale is the following:
+  #
+  # In order to exploit this bug, the caller must pass a negative length to the
+  # `XML_ParseBuffer` function. This function is not directly used by
+  # LibreOffice, which instead uses a higher-level wrapper. Therefore, our
+  # understanding is that this path cannot be exploited by attackers.
+  #
+  # See also: https://github.com/freedomofpress/dangerzone/issues/913
+  - vulnerability: CVE-2024-45490