From: Peter Marko <peter.marko@siemens.com>
Date: Mon, 13 Apr 2026 21:14:44 +0000 (+0200)
Subject: tar: set status for CVE-2025-45582
X-Git-Tag: yocto-6.0~99
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0716e7461d71c5512a7d1622d1351815668eaa49;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git

tar: set status for CVE-2025-45582

This CVE is disputed by tar maintainers as documented in [1].
The same link is present in NVD and cvelistV5.
Also Debian says "disputed" in [2].

[1] https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
[2] https://security-tracker.debian.org/tracker/CVE-2025-45582

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/recipes-extended/tar/tar_1.35.bb b/meta/recipes-extended/tar/tar_1.35.bb
index d463eff97d..042baa035c 100644
--- a/meta/recipes-extended/tar/tar_1.35.bb
+++ b/meta/recipes-extended/tar/tar_1.35.bb
@@ -95,6 +95,8 @@ BBCLASSEXTEND = "native nativesdk"
 # For example CVE-2021-{32803,32804,37701,37712,37713}
 CVE_PRODUCT = "gnu:tar"
 
+CVE_STATUS[CVE-2025-45582] = "disputed"
+
 # A test uses cmp to compare two 8GB files. Busybox's cmp does the job usually, but it is much slower than
 # diffutils' cmp, and the test times out when there is a high load on the host machine.
 RDEPENDS:${PN}-ptest += "diffutils"