diff mbox series

[3/6] tar: set status for CVE-2025-45582

Message ID 20260413211447.564257-3-peter.marko@siemens.com
State Under Review
Headers show
Series [1/6] xdg-utils: set status for CVE-2025-52968 | expand

Commit Message

Peter Marko April 13, 2026, 9:14 p.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

This CVE is disputed by tar maintainers as documented in [1].
The same link is present in NVD and cvelistV5.
Also Debian says "disputed" in [2].

[1] https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
[2] https://security-tracker.debian.org/tracker/CVE-2025-45582

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-extended/tar/tar_1.35.bb | 2 ++
 1 file changed, 2 insertions(+)
diff mbox series

Patch

diff --git a/meta/recipes-extended/tar/tar_1.35.bb b/meta/recipes-extended/tar/tar_1.35.bb
index d463eff97d..042baa035c 100644
--- a/meta/recipes-extended/tar/tar_1.35.bb
+++ b/meta/recipes-extended/tar/tar_1.35.bb
@@ -95,6 +95,8 @@  BBCLASSEXTEND = "native nativesdk"
 # For example CVE-2021-{32803,32804,37701,37712,37713}
 CVE_PRODUCT = "gnu:tar"
 
+CVE_STATUS[CVE-2025-45582] = "disputed"
+
 # A test uses cmp to compare two 8GB files. Busybox's cmp does the job usually, but it is much slower than
 # diffutils' cmp, and the test times out when there is a high load on the host machine.
 RDEPENDS:${PN}-ptest += "diffutils"