tar: set status for CVE-2025-45582

This CVE is disputed by tar maintainers as documented in [1].
The same link is present in NVD and cvelistV5.
Also Debian says "disputed" in [2].

[1] https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
[2] https://security-tracker.debian.org/tracker/CVE-2025-45582

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/recipes-extended/tar/tar_1.35.bb b/meta/recipes-extended/tar/tar_1.35.bb
index d463eff97d68578f0e8101aab019d179e508a27b..042baa035c915b1b5aa2066eb2eda520fc756b59 100644 (file)
--- a/meta/recipes-extended/tar/tar_1.35.bb
+++ b/meta/recipes-extended/tar/tar_1.35.bb
@@ -95,6 +95,8 @@ BBCLASSEXTEND = "native nativesdk"
 # For example CVE-2021-{32803,32804,37701,37712,37713}
 CVE_PRODUCT = "gnu:tar"
 
+CVE_STATUS[CVE-2025-45582] = "disputed"
+
 # A test uses cmp to compare two 8GB files. Busybox's cmp does the job usually, but it is much slower than
 # diffutils' cmp, and the test times out when there is a high load on the host machine.
 RDEPENDS:${PN}-ptest += "diffutils"