[meta-oe,09/11] sassc: ignore CVE-2022-43357

Message ID	20241220153629.2499631-10-peter.marko@siemens.com
State	Under Review
Headers	show Return-Path: <peter.marko@siemens.com> ip: 185.136.65.226, mailfrom: fm-256628-2024122015375437482cc290493d17e6-70ewom@rts-flowmailer.siemens.com) From: Peter Marko <peter.marko@siemens.com> To: openembedded-devel@lists.openembedded.org Cc: Peter Marko <peter.marko@siemens.com> Subject: [meta-oe][PATCH 09/11] sassc: ignore CVE-2022-43357 Date: Fri, 20 Dec 2024 16:36:27 +0100 Message-Id: <20241220153629.2499631-10-peter.marko@siemens.com> In-Reply-To: <20241220153629.2499631-1-peter.marko@siemens.com> References: <20241220153629.2499631-1-peter.marko@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-256628:519-21489:flowmailer
Series	upgrade recipes to solve CVEs \| expand [meta-oe,00/11] upgrade recipes to solve CVEs [meta-oe,01/11] opensc: upgrade 0.25.1 -> 0.26.0 [meta-oe,02/11] opensc: mark CVE-2024-8443 as fixed [meta-oe,03/11] memcached: add UPSTREAM_CHECK_URI [meta-oe,04/11] memcached: upgrade 1.6.17 -> 1.6.33 [meta-oe,05/11] php: upgrade 8.2.20 -> 8.2.26 [meta-oe,06/11] libmemcached: remove recipe for version 1.0.7 [meta-oe,07/11] libmemcached: merge inc into bb [meta-oe,08/11] libmemcached: ignore CVE-2023-27478 [meta-oe,09/11] sassc: ignore CVE-2022-43357 [meta-oe,10/11] wireshark: upgrade 4.2.8 -> 4.2.9 [meta-oe,11/11] weechat: upgrade 4.0.4 -> 4.5.0

Message ID

20241220153629.2499631-10-peter.marko@siemens.com

State

Under Review

Headers

From: Peter Marko <peter.marko@siemens.com>
To: openembedded-devel@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [meta-oe][PATCH 09/11] sassc: ignore CVE-2022-43357
Date: Fri, 20 Dec 2024 16:36:27 +0100
Message-Id: <20241220153629.2499631-10-peter.marko@siemens.com>
In-Reply-To: <20241220153629.2499631-1-peter.marko@siemens.com>
References: <20241220153629.2499631-1-peter.marko@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Feedback-ID: 519:519-256628:519-21489:flowmailer

Series

upgrade recipes to solve CVEs | expand

Commit Message

Marko, Peter Dec. 20, 2024, 3:36 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

This CVE is fixed in current libsass recipe version.
So wrapper around it will also not show this problem.
It's usual usecase is to be statically linked with libsass which is
probably the reason why this is listed as vulnerable component.

[1] links [2] as issue tracker which points to [3] as fix.
[4] as base repository for the recipe is not involved and files from [3]
    are not present in this repository.

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357
[2] https://github.com/sass/libsass/issues/3177
[3] https://github.com/sass/libsass/pull/3184
[4] https://github.com/sass/sassc/

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta-oe/recipes-support/sass/sassc_git.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-oe/recipes-support/sass/sassc_git.bb b/meta-oe/recipes-support/sass/sassc_git.bb
index 9bb8c76e87..94d69642a7 100644
--- a/meta-oe/recipes-support/sass/sassc_git.bb
+++ b/meta-oe/recipes-support/sass/sassc_git.bb
@@ -11,4 +11,6 @@  SRCREV = "66f0ef37e7f0ad3a65d2f481eff09d09408f42d0"
 S = "${WORKDIR}/git"
 PV = "3.6.2"
 
+CVE_STATUS[CVE-2022-43357] = "cpe-incorrect: this is CVE for libsass, not sassc wrapper"
+
 BBCLASSEXTEND = "native"

[meta-oe,09/11] sassc: ignore CVE-2022-43357

Commit Message

Patch