From: Peter Marko <[email protected]> This was fixed in 2.0.14, but NVD DB lists > 2.0.20 causing false positives in CVE metrics.
NVD entries [1] and [2] list commit [3] which redirects to commit [4]. Also Debian 10 uses this commit, while Debian 11 with 2.0.14 does not patch it and claims it's fixed. Trying to apply the patch shows it's already applied. Following shows git history of this commit wrt tags. SDL$ git describe a7ff6e96155f550a5597621ebeddd03c98aa9294 --tags release-2.0.12-305-ga7ff6e961 SDL$ git describe release-2.0.14 --tags --match=release-2.0.12 release-2.0.12-873-g4cd981609 SDL$ git describe release-2.0.20 --tags --match=release-2.0.12 release-2.0.12-3126-gb424665e0 [1] https://nvd.nist.gov/vuln/detail/CVE-2020-14409 [2] https://nvd.nist.gov/vuln/detail/CVE-2020-14410 [3] https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9 [4] https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294 Signed-off-by: Peter Marko <[email protected]> --- meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb index abcf232e25..6d30d0baa8 100644 --- a/meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb +++ b/meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb @@ -82,3 +82,6 @@ PACKAGECONFIG[x11] = "-DSDL_X11=ON,-DSDL_X11=OFF,virtual/libx11 libxext l CFLAGS:append:class-native = " -DNO_SHARED_MEMORY" BBCLASSEXTEND = "native nativesdk" + +# These are fixed since 2.0.14, NVD DB incorrectly lists > 20.0.20 +CVE_CHECK_IGNORE += "CVE-2020-14409 CVE-2020-14410" -- 2.30.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#208442): https://lists.openembedded.org/g/openembedded-core/message/208442 Mute This Topic: https://lists.openembedded.org/mt/109967648/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
