forked from freedomofpress/dangerzone
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.grype.yaml
48 lines (45 loc) · 1.84 KB
/
.grype.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# This configuration file will be used to track CVEs that we can ignore for the
# latest release of Dangerzone, and offer our analysis.
ignore:
- vulnerability: CVE-2024-5535
# CVE-2024-5171
# =============
#
# NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-5171
# Verdict: Dangerzone is not affected. The rationale is the following:
#
# The affected library, `libaom.so`, is linked by GStreamer's `libgstaom.so`
# library. The vulnerable `aom_img_alloc` function is only used when
# **encoding** a video to AV1. LibreOffce uses the **decode** path instead,
# when generating thumbnails.
#
# See also: https://github.com/freedomofpress/dangerzone/issues/895
- vulnerability: CVE-2024-5171
# CVE-2024-45491, CVE-2024-45492
# ===============================
#
# NVD Entries:
# * https://nvd.nist.gov/vuln/detail/CVE-2024-45491
# * https://nvd.nist.gov/vuln/detail/CVE-2024-45492
#
# Verdict: Dangerzone is not affected. The rationale is the following:
#
# The vulnerabilities that have been assigned to these CVEs affect only 32-bit
# architectures. Dangerzone ships only 64-bit images to users.
#
# See also: https://github.com/freedomofpress/dangerzone/issues/913
- vulnerability: CVE-2024-45491
- vulnerability: CVE-2024-45492
# CVE-2024-45490
# ==============
#
# NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-45490
# Verdict: Dangerzone is not affected. The rationale is the following:
#
# In order to exploit this bug, the caller must pass a negative length to the
# `XML_ParseBuffer` function. This function is not directly used by
# LibreOffice, which instead uses a higher-level wrapper. Therefore, our
# understanding is that this path cannot be exploited by attackers.
#
# See also: https://github.com/freedomofpress/dangerzone/issues/913
- vulnerability: CVE-2024-45490