Merge branch 'feat/newlib-sbom-exclude_cve-2024-30949' into 'master'

fix(newlib): sbom: add CVE-2024-30949 to cve-exclude-list See merge request espressif/esp-idf!33947
2024-10-03 12:30:44 +08:00
parent ac6c54c997 c4acf3faad
commit c90dd52974
2 changed files with 12 additions and 0 deletions
--- a/components/newlib/sbom.yml
+++ b/components/newlib/sbom.yml
@ -4,3 +4,6 @@ cpe: cpe:2.3:a:newlib_project:newlib:{}:*:*:*:*:*:*:*
 supplier: 'Organization: Espressif Systems (Shanghai) CO LTD'
 originator: 'Organization: Red Hat Incorporated'
 description: An open-source C standard library implementation with additional features and patches from Espressif.
+cve-exclude-list:
+  - cve: CVE-2024-30949
+    reason: A vulnerability was discovered in the gettimeofday system call implementation within the RISC-V libgloss component of Newlib. ESP-IDF does not link against libgloss for RISC-V, hence the issue is not directly applicable. Still, the relevant fix has been patched through https://github.com/espressif/newlib-esp32/commit/047ba47013c2656a1e7838dc86cbc75aeeaa67a7
--- a/docs/en/security/vulnerabilities.rst
+++ b/docs/en/security/vulnerabilities.rst
@ -10,6 +10,15 @@ This page briefly lists all of the vulnerabilities that are discovered and fixed
 CVE-2024
 --------

+CVE-2024-30949
+~~~~~~~~~~~~~~
+
+RISC-V gettimeofday system call vulnerability in Newlib's
+
+* Impact: ESP-IDF does not use system call implementations from Newlib
+* Resolution: NA
+
+
 CVE-2024-28183
 ~~~~~~~~~~~~~~