helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-04-02 02:49:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

sassc: ignore CVE-2022-43357

Browse Source 
This CVE is fixed in current libsass recipe version.
So wrapper around it will also not show this problem.
It's usual usecase is to be statically linked with libsass which is
probably the reason why this is listed as vulnerable component.

[1] links [2] as issue tracker which points to [3] as fix.
[4] as base repository for the recipe is not involved and files from [3]
    are not present in this repository.

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357
[2] https://github.com/sass/libsass/issues/3177
[3] https://github.com/sass/libsass/pull/3184
[4] https://github.com/sass/sassc/

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 576b84263bac4dda26d84d116a9e7628a126f866)

Scarthgap has also the fixed libsass version (3.6.6), the CVE can
be considered fixed.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Peter Marko 2026-03-05 17:28:05 +01:00 committed by Anuj Mittal
parent 604a54d742
commit ada8211493
No known key found for this signature in database
GPG Key ID: 4340AEFE69F5085C
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
meta-oe/recipes-support/sass/sassc_git.bb
View File

@ -11,4 +11,6 @@ SRCREV = "66f0ef37e7f0ad3a65d2f481eff09d09408f42d0"
S = "${WORKDIR}/git"
PV = "3.6.2"
CVE_STATUS[CVE-2022-43357] = "cpe-incorrect: this is CVE for libsass, not sassc wrapper"
BBCLASSEXTEND = "native"