From: Peter Marko <peter.marko@siemens.com>
Date: Wed, 29 Apr 2026 19:36:44 +0000 (+0200)
Subject: libsdl2: set status for CVE-2026-35444
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fef169063e49f516ea96e2243869808ba58550d0;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git

libsdl2: set status for CVE-2026-35444

This CVE is for SDL_IMAGE, not SDL.

Mapping in sbom-cve-check tool seems to be wrong at [1].
It maps both SDL and SDL_IMAGE to the same CPE.

[1] https://github.com/bootlin/sbom-cve-check/blob/v1.3.0/src/sbom_cve_check/products/products.toml#L1608

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.32.10.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.32.10.bb
index 834cf096b9..2b583448ef 100644
--- a/meta/recipes-graphics/libsdl2/libsdl2_2.32.10.bb
+++ b/meta/recipes-graphics/libsdl2/libsdl2_2.32.10.bb
@@ -85,3 +85,5 @@ CFLAGS:append:class-native = " -DNO_SHARED_MEMORY"
 FILES:${PN} += "${datadir}/licenses/SDL2/LICENSE.txt"
 
 BBCLASSEXTEND = "native nativesdk"
+
+CVE_STATUS[CVE-2026-35444] = "cpe-incorrect: this CVE is for sdl_image"