Skip to content

Commit c4acf3f

Browse files
LapshinLapshin
committed
fix(newlib): sbom: add CVE-2024-30949 to cve-exclude-list
1 parent ffdf59a commit c4acf3f

File tree

2 files changed

+12
-0
lines changed

2 files changed

+12
-0
lines changed

components/newlib/sbom.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,3 +4,6 @@ cpe: cpe:2.3:a:newlib_project:newlib:{}:*:*:*:*:*:*:*
44
supplier: 'Organization: Espressif Systems (Shanghai) CO LTD'
55
originator: 'Organization: Red Hat Incorporated'
66
description: An open-source C standard library implementation with additional features and patches from Espressif.
7+
cve-exclude-list:
8+
- cve: CVE-2024-30949
9+
reason: A vulnerability was discovered in the gettimeofday system call implementation within the RISC-V libgloss component of Newlib. ESP-IDF does not link against libgloss for RISC-V, hence the issue is not directly applicable. Still, the relevant fix has been patched through https://github.com/espressif/newlib-esp32/commit/047ba47013c2656a1e7838dc86cbc75aeeaa67a7

docs/en/security/vulnerabilities.rst

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,15 @@ This page briefly lists all of the vulnerabilities that are discovered and fixed
1010
CVE-2024
1111
--------
1212

13+
CVE-2024-30949
14+
~~~~~~~~~~~~~~
15+
16+
RISC-V gettimeofday system call vulnerability in Newlib's
17+
18+
* Impact: ESP-IDF does not use system call implementations from Newlib
19+
* Resolution: NA
20+
21+
1322
CVE-2024-28183
1423
~~~~~~~~~~~~~~
1524

0 commit comments

Comments
 (0)