almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

grype: Ignore CVE-2024-11053

Browse source 
Ignore the CVE-2024-11053 vulnerability, since it's a libcurl one, and
the Dangerzone container does not make network calls.

Also, clear the previous vulnerabilities, now that we have a new image
out.
This commit is contained in:
Alex Pyrgiotis 2024-12-16 17:39:36 +02:00 committed by Alexis Métaireau
parent 1ea2f109cb
commit fb7c2088e2
No known key found for this signature in database
GPG key ID: C65C7A89A8FFC56E
1 changed files with 5 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
.grype.yaml
View file

@ -2,47 +2,10 @@
# latest release of Dangerzone, and offer our analysis. # latest release of Dangerzone, and offer our analysis.
ignore: ignore:
- vulnerability: CVE-2024-5535 # CVE-2024-11053
# CVE-2024-5171
# =============
#
# NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-5171
# Verdict: Dangerzone is not affected. The rationale is the following:
#
# The affected library, `libaom.so`, is linked by GStreamer's `libgstaom.so`
# library. The vulnerable `aom_img_alloc` function is only used when
# **encoding** a video to AV1. LibreOffce uses the **decode** path instead,
# when generating thumbnails.
#
# See also: https://github.com/freedomofpress/dangerzone/issues/895
- vulnerability: CVE-2024-5171
# CVE-2024-45491, CVE-2024-45492
# ===============================
#
# NVD Entries:
# * https://nvd.nist.gov/vuln/detail/CVE-2024-45491
# * https://nvd.nist.gov/vuln/detail/CVE-2024-45492
#
# Verdict: Dangerzone is not affected. The rationale is the following:
#
# The vulnerabilities that have been assigned to these CVEs affect only 32-bit
# architectures. Dangerzone ships only 64-bit images to users.
#
# See also: https://github.com/freedomofpress/dangerzone/issues/913
- vulnerability: CVE-2024-45491
- vulnerability: CVE-2024-45492
# CVE-2024-45490
# ============== # ==============
# #
# NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-45490 # NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-11053
# Verdict: Dangerzone is not affected. The rationale is the following: # Verdict: Dangerzone is not affected because libcurl is an HTTP client, and
# # the Dangerzone container does not make any network calls.
# In order to exploit this bug, the caller must pass a negative length to the - vulnerability: CVE-2024-11053
# `XML_ParseBuffer` function. This function is not directly used by
# LibreOffice, which instead uses a higher-level wrapper. Therefore, our
# understanding is that this path cannot be exploited by attackers.
#
# See also: https://github.com/freedomofpress/dangerzone/issues/913
- vulnerability: CVE-2024-45490