diff mbox series

[wrynose,11/28] libsdl2: set status for CVE-2026-35444

Message ID e2ea9d60afddf38e5a8d4a7c4d22e5efd98a5e4e.1779232800.git.yoann.congal@smile.fr
State New
Headers show
Series [wrynose,01/28] README: Add wrynose subject-prefix to git-send-email suggestion | expand

Commit Message

Yoann Congal May 19, 2026, 11:29 p.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

This CVE is for SDL_IMAGE, not SDL.

Mapping in sbom-cve-check tool seems to be wrong at [1].
It maps both SDL and SDL_IMAGE to the same CPE.

[1] https://github.com/bootlin/sbom-cve-check/blob/v1.3.0/src/sbom_cve_check/products/products.toml#L1608

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fef169063e49f516ea96e2243869808ba58550d0)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-graphics/libsdl2/libsdl2_2.32.10.bb | 2 ++
 1 file changed, 2 insertions(+)

Comments

Paul Barker May 20, 2026, 7:37 a.m. UTC | #1 
On Wed, 2026-05-20 at 01:29 +0200, Yoann Congal via
lists.openembedded.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
> 
> This CVE is for SDL_IMAGE, not SDL.
> 
> Mapping in sbom-cve-check tool seems to be wrong at [1].
> It maps both SDL and SDL_IMAGE to the same CPE.
> 
> [1] https://github.com/bootlin/sbom-cve-check/blob/v1.3.0/src/sbom_cve_check/products/products.toml#L1608
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit fef169063e49f516ea96e2243869808ba58550d0)
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>

Hi Yoann,

We should not need to backport this if we take the update to
sbom-cve-check 1.3.1 (earlier in this series) as it fixes the offending
products.toml entries.

https://github.com/bootlin/sbom-cve-check/commit/30a5b3e94bbdd27557d3b8b7b1917b9980fc2564

Best regards,
Yoann Congal May 20, 2026, 7:56 a.m. UTC | #2 
On Wed May 20, 2026 at 9:37 AM CEST, Paul Barker wrote:
> On Wed, 2026-05-20 at 01:29 +0200, Yoann Congal via
> lists.openembedded.org wrote:
>> From: Peter Marko <peter.marko@siemens.com>
>> 
>> This CVE is for SDL_IMAGE, not SDL.
>> 
>> Mapping in sbom-cve-check tool seems to be wrong at [1].
>> It maps both SDL and SDL_IMAGE to the same CPE.
>> 
>> [1] https://github.com/bootlin/sbom-cve-check/blob/v1.3.0/src/sbom_cve_check/products/products.toml#L1608
>> 
>> Signed-off-by: Peter Marko <peter.marko@siemens.com>
>> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>> (cherry picked from commit fef169063e49f516ea96e2243869808ba58550d0)
>> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
>
> Hi Yoann,
>
> We should not need to backport this if we take the update to
> sbom-cve-check 1.3.1 (earlier in this series) as it fixes the offending
> products.toml entries.
>
> https://github.com/bootlin/sbom-cve-check/commit/30a5b3e94bbdd27557d3b8b7b1917b9980fc2564

Agreed, I removed it from my branch, I'll send a v2 of the series.

Thanks!

>
> Best regards,
diff mbox series

Patch

diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.32.10.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.32.10.bb
index 834cf096b97..2b583448ef5 100644
--- a/meta/recipes-graphics/libsdl2/libsdl2_2.32.10.bb
+++ b/meta/recipes-graphics/libsdl2/libsdl2_2.32.10.bb
@@ -85,3 +85,5 @@  CFLAGS:append:class-native = " -DNO_SHARED_MEMORY"
 FILES:${PN} += "${datadir}/licenses/SDL2/LICENSE.txt"
 
 BBCLASSEXTEND = "native nativesdk"
+
+CVE_STATUS[CVE-2026-35444] = "cpe-incorrect: this CVE is for sdl_image"