From: Peter Marko <peter.ma...@siemens.com>
This CVE is fixed in current libsass recipe version.
So wrapper around it will also not show this problem.
It's usual usecase is to be statically linked with libsass which is
probably the reason why this is listed as vulnerable component.
[1] links [2] as issue tracker which points to [3] as fix.
[4] as base repository for the recipe is not involved and files from [3]
are not present in this repository.
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357
[2] https://github.com/sass/libsass/issues/3177
[3] https://github.com/sass/libsass/pull/3184
[4] https://github.com/sass/sassc/
Signed-off-by: Peter Marko <peter.ma...@siemens.com>
---
meta-oe/recipes-support/sass/sassc_git.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta-oe/recipes-support/sass/sassc_git.bb
b/meta-oe/recipes-support/sass/sassc_git.bb
index 9bb8c76e87..94d69642a7 100644
--- a/meta-oe/recipes-support/sass/sassc_git.bb
+++ b/meta-oe/recipes-support/sass/sassc_git.bb
@@ -11,4 +11,6 @@ SRCREV = "66f0ef37e7f0ad3a65d2f481eff09d09408f42d0"
S = "${WORKDIR}/git"
PV = "3.6.2"
+CVE_STATUS[CVE-2022-43357] = "cpe-incorrect: this is CVE for libsass, not
sassc wrapper"
+
BBCLASSEXTEND = "native"
--
2.30.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#114445):
https://lists.openembedded.org/g/openembedded-devel/message/114445
Mute This Topic: https://lists.openembedded.org/mt/110215911/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
