diff mbox series

[kirkstone,1/7] libsdl2: ignore CVE-2020-14409 and CVE-2020-14410

Message ID 3079d562b4df69ab0ac20ec8d13a4240ce0a3514.1733928291.git.steve@sakoman.com
State Accepted, archived
Commit 3079d562b4df69ab0ac20ec8d13a4240ce0a3514
Delegated to: Steve Sakoman
Headers show
Series [kirkstone,1/7] libsdl2: ignore CVE-2020-14409 and CVE-2020-14410 | expand

Commit Message

Steve Sakoman Dec. 11, 2024, 2:47 p.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

This was fixed in 2.0.14, but NVD DB lists > 2.0.20 causing
false positives in CVE metrics.

NVD entries [1] and [2] list commit [3] which redirects to commit [4].
Also Debian 10 uses this commit, while Debian 11 with 2.0.14 does not
patch it and claims it's fixed.

Trying to apply the patch shows it's already applied.

Following shows git history of this commit wrt tags.
SDL$ git describe a7ff6e96155f550a5597621ebeddd03c98aa9294 --tags
release-2.0.12-305-ga7ff6e961
SDL$ git describe release-2.0.14 --tags --match=release-2.0.12
release-2.0.12-873-g4cd981609
SDL$ git describe release-2.0.20 --tags --match=release-2.0.12
release-2.0.12-3126-gb424665e0

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-14409
[2] https://nvd.nist.gov/vuln/detail/CVE-2020-14410
[3] https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9
[4] https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb | 3 +++
 1 file changed, 3 insertions(+)
diff mbox series

Patch

diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb
index abcf232e25..6d30d0baa8 100644
--- a/meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb
+++ b/meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb
@@ -82,3 +82,6 @@  PACKAGECONFIG[x11]        = "-DSDL_X11=ON,-DSDL_X11=OFF,virtual/libx11 libxext l
 CFLAGS:append:class-native = " -DNO_SHARED_MEMORY"
 
 BBCLASSEXTEND = "native nativesdk"
+
+# These are fixed since 2.0.14, NVD DB incorrectly lists > 20.0.20
+CVE_CHECK_IGNORE += "CVE-2020-14409 CVE-2020-14410"