[PATCH 1/2] xserver-org: update CVE_PRODUCT

[PATCH 1/2] xserver-org: update CVE_PRODUCT

[Peter Marko]

From: Peter Marko <peter.marko@siemens.com>

In cvelistV5, CVE-2024-21886 uses CPE xorg:xserver ([1]).
Detected because this CVE is shown for xwayland recipe.

[1] https://github.com/CVEProject/cvelistV5/blob/cve_2026-04-12_1800Z/cves/2024/21xxx/CVE-2024-21886.json#L646

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-graphics/xorg-xserver/xserver-xorg.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index c79bb9e962..59c373280e 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -19,7 +19,7 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
 
 UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
 
-CVE_PRODUCT = "xorg-server x_server"
+CVE_PRODUCT = "xorg-server x_server xorg:xserver"
 
 CVE_STATUS[CVE-2011-4613] = "not-applicable-platform: This is specific to Debian's xserver-wrapper.c"
 CVE_STATUS[CVE-2020-25697] = "upstream-wontfix: \

[PATCH 2/2] xwayland: set status for CVE-2024-21886

[Peter Marko]

From: Peter Marko <peter.marko@siemens.com>

Reference [1]:
Introduced in: xorg-server-1.13.0 (2012)
Fixed in: xorg-server-21.1.11 and xwayland-23.2.4

Note that the status should be "fixed-version", however that does not
seem to work correctly with the new sbom-cve-check.

[1] https://lists.x.org/archives/xorg/2024-January/061525.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-graphics/xwayland/xwayland_24.1.9.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb b/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb
index df1bb7e31b..6c10eddb8e 100644
--- a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb
@@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "f297af27a84508db9b80d1cbbcc69c3801da38eb64c72f3b5b50f58245
 
 UPSTREAM_CHECK_REGEX = "xwayland-(?P<pver>\d+(\.(?!90\d)\d+)+)\.tar"
 
+CVE_STATUS[CVE-2024-21886] = "version-not-in-range: fixed since xwayland-23.2.4"
+
 inherit meson features_check pkgconfig
 REQUIRED_DISTRO_FEATURES = "x11 opengl"
 

RE: [PATCH 2/2] xwayland: set status for CVE-2024-21886

[Marko, Peter]

> -----Original Message-----
> From: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Sent: Sunday, April 12, 2026 8:52 PM
> To: openembedded-core@lists.openembedded.org
> Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Subject: [PATCH 2/2] xwayland: set status for CVE-2024-21886
> 
> From: Peter Marko <peter.marko@siemens.com>
> 
> Reference [1]:
> Introduced in: xorg-server-1.13.0 (2012)
> Fixed in: xorg-server-21.1.11 and xwayland-23.2.4
> 
> Note that the status should be "fixed-version", however that does not	
> seem to work correctly with the new sbom-cve-check.

This looks like a bug in sbom-cve-check (or vex?) code.
Any idea why certain manual CVE_STATUSes would be overridden by cvelistV5 status?

> 
> [1] https://lists.x.org/archives/xorg/2024-January/061525.html
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  meta/recipes-graphics/xwayland/xwayland_24.1.9.bb | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb b/meta/recipes-
> graphics/xwayland/xwayland_24.1.9.bb
> index df1bb7e31b..6c10eddb8e 100644
> --- a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb
> +++ b/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb
> @@ -14,6 +14,8 @@ SRC_URI[sha256sum] =
> "f297af27a84508db9b80d1cbbcc69c3801da38eb64c72f3b5b50f58245
> 
>  UPSTREAM_CHECK_REGEX = "xwayland-(?P<pver>\d+(\.(?!90\d)\d+)+)\.tar"
> 
> +CVE_STATUS[CVE-2024-21886] = "version-not-in-range: fixed since xwayland-
> 23.2.4"
> +
>  inherit meson features_check pkgconfig
>  REQUIRED_DISTRO_FEATURES = "x11 opengl"
> 

Re: [PATCH 2/2] xwayland: set status for CVE-2024-21886

[Benjamin Robin]

Hello Peter,

On Sunday, April 12, 2026 at 9:04 PM, Marko, Peter wrote:
> > From: Peter Marko <peter.marko@siemens.com>
> > 
> > Reference [1]:
> > Introduced in: xorg-server-1.13.0 (2012)
> > Fixed in: xorg-server-21.1.11 and xwayland-23.2.4
> > 
> > Note that the status should be "fixed-version", however that does not	
> > seem to work correctly with the new sbom-cve-check.
> 
> This looks like a bug in sbom-cve-check (or vex?) code.
> Any idea why certain manual CVE_STATUSes would be overridden by cvelistV5 status?

This should not be possible. With default configuration a manual
annotation cannot be overwritten. sbom-cve-check directly use the
annotation without any extra processing.

> > diff --git a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb b/meta/recipes-
> > graphics/xwayland/xwayland_24.1.9.bb
> > index df1bb7e31b..6c10eddb8e 100644
> > --- a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb
> > +++ b/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb
> > @@ -14,6 +14,8 @@ SRC_URI[sha256sum] =
> > "f297af27a84508db9b80d1cbbcc69c3801da38eb64c72f3b5b50f58245
> > 
> >  UPSTREAM_CHECK_REGEX = "xwayland-(?P<pver>\d+(\.(?!90\d)\d+)+)\.tar"
> > 
> > +CVE_STATUS[CVE-2024-21886] = "version-not-in-range: fixed since xwayland-
> > 23.2.4"
> > +
> >  inherit meson features_check pkgconfig
> >  REQUIRED_DISTRO_FEATURES = "x11 opengl"

What you see is perfectly normal.
The recipe is named "xwayland", without a CVE_PRODUCT specified, so the
default CPE is "cpe:2.3:*:*:xwayland:24.1.9:*:*:*:*:*:*:*"

The CVE is associated with xorg-server and with xwayland.
And if you notice, in the report the CVE is linked to xorg-server
and to xwayland: The CVE is referenced twice in the report.
When associated with xorg-server the annotation does not work,
but when associated with xwayland it works.

I guess you also need to add the CVE_STATUS in xserver-xorg recipe.

-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

RE: [PATCH 2/2] xwayland: set status for CVE-2024-21886

[Marko, Peter]

> -----Original Message-----
> From: Benjamin Robin <benjamin.robin@bootlin.com>
> Sent: Sunday, April 12, 2026 10:23 PM
> To: Ross Burton <ross.burton@arm.com>; Marko, Peter (FT D EU SK BFS1)
> <Peter.Marko@siemens.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [PATCH 2/2] xwayland: set status for CVE-2024-21886
> 
> Hello Peter,
> 
> On Sunday, April 12, 2026 at 9:04 PM, Marko, Peter wrote:
> > > From: Peter Marko <peter.marko@siemens.com>
> > >
> > > Reference [1]:
> > > Introduced in: xorg-server-1.13.0 (2012)
> > > Fixed in: xorg-server-21.1.11 and xwayland-23.2.4
> > >
> > > Note that the status should be "fixed-version", however that does not
> > > seem to work correctly with the new sbom-cve-check.
> >
> > This looks like a bug in sbom-cve-check (or vex?) code.
> > Any idea why certain manual CVE_STATUSes would be overridden by cvelistV5
> status?
> 
> This should not be possible. With default configuration a manual
> annotation cannot be overwritten. sbom-cve-check directly use the
> annotation without any extra processing.

I wonder what I'm doing wrong when using this new code for the first time...
When I got to the "new" CVE for ovmf, cve-metrics shows only CVE-2024-1298.
In my local build, I get all the CVEs (which are se to fixed-version in the recipe).

RECIPE=ovmf; bitbake $RECIPE -c sbom_cve_check_recipe; jq -r '.package[] | select(.name == "'$RECIPE'") | .issue[]? | select(.status == "Unpatched") | .id' tmp/deploy/images/qemux86-64/$RECIPE-recipe-sbom.sbom-cve-check.yocto.json
CVE-2014-4859
CVE-2014-4860
CVE-2014-8271
CVE-2019-14553
CVE-2019-14559
CVE-2019-14562
CVE-2019-14563
CVE-2019-14575
CVE-2019-14586
CVE-2019-14587
CVE-2024-1298

My local.conf is:
DISTRO = "poky"
INHERIT += "sbom-cve-check-recipe"
SRCREV:pn-sbom-cve-check-update-cvelist-native = "82e18eb3051039642ed8ec0b8eb15ea27dbbf52c"
include conf/distro/include/cve-extra-exclusions.inc

Peter

> 
> > > diff --git a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb
> b/meta/recipes-
> > > graphics/xwayland/xwayland_24.1.9.bb
> > > index df1bb7e31b..6c10eddb8e 100644
> > > --- a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb
> > > +++ b/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb
> > > @@ -14,6 +14,8 @@ SRC_URI[sha256sum] =
> > > "f297af27a84508db9b80d1cbbcc69c3801da38eb64c72f3b5b50f58245
> > >
> > >  UPSTREAM_CHECK_REGEX = "xwayland-
> (?P<pver>\d+(\.(?!90\d)\d+)+)\.tar"
> > >
> > > +CVE_STATUS[CVE-2024-21886] = "version-not-in-range: fixed since
> xwayland-
> > > 23.2.4"
> > > +
> > >  inherit meson features_check pkgconfig
> > >  REQUIRED_DISTRO_FEATURES = "x11 opengl"
> 
> What you see is perfectly normal.
> The recipe is named "xwayland", without a CVE_PRODUCT specified, so the
> default CPE is "cpe:2.3:*:*:xwayland:24.1.9:*:*:*:*:*:*:*"
> 
> The CVE is associated with xorg-server and with xwayland.
> And if you notice, in the report the CVE is linked to xorg-server
> and to xwayland: The CVE is referenced twice in the report.
> When associated with xorg-server the annotation does not work,
> but when associated with xwayland it works.
> 
> I guess you also need to add the CVE_STATUS in xserver-xorg recipe.
> 
> --
> Benjamin Robin, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
> 
> 

Re: [PATCH 2/2] xwayland: set status for CVE-2024-21886

[Benjamin Robin]

On Sunday, April 12, 2026 at 11:01 PM, Marko, Peter wrote:
> > From: Benjamin Robin <benjamin.robin@bootlin.com>
> > This should not be possible. With default configuration a manual
> > annotation cannot be overwritten. sbom-cve-check directly use the
> > annotation without any extra processing.
> 
> I wonder what I'm doing wrong when using this new code for the first time...
> When I got to the "new" CVE for ovmf, cve-metrics shows only CVE-2024-1298.
> In my local build, I get all the CVEs (which are se to fixed-version in the recipe).
> 
> RECIPE=ovmf; bitbake $RECIPE -c sbom_cve_check_recipe; jq -r '.package[] | select(.name == "'$RECIPE'") | .issue[]? | select(.status == "Unpatched") | .id' tmp/deploy/images/qemux86-64/$RECIPE-recipe-sbom.sbom-cve-check.yocto.json
> CVE-2014-4859
> CVE-2014-4860
> CVE-2014-8271
> CVE-2019-14553
> CVE-2019-14559
> CVE-2019-14562
> CVE-2019-14563
> CVE-2019-14575
> CVE-2019-14586
> CVE-2019-14587
> CVE-2024-1298
> 
> My local.conf is:
> DISTRO = "poky"
> INHERIT += "sbom-cve-check-recipe"
> SRCREV:pn-sbom-cve-check-update-cvelist-native = "82e18eb3051039642ed8ec0b8eb15ea27dbbf52c"
> include conf/distro/include/cve-extra-exclusions.inc

I still cannot reproduce your issue.
Could you share these 2 files (by email and compressed, and maybe only to me):
 - ovmf-recipe-sbom.spdx.json
 - ovmf-recipe-sbom.sbom-cve-check.yocto.json

If you also have a KAS configuration file of your current setup, this will
be great.

-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

RE: [PATCH 2/2] xwayland: set status for CVE-2024-21886

[Marko, Peter]

> -----Original Message-----
> From: Benjamin Robin <benjamin.robin@bootlin.com>
> Sent: Monday, April 13, 2026 9:05 AM
> To: Ross Burton <ross.burton@arm.com>; Marko, Peter (FT D EU SK BFS1)
> <Peter.Marko@siemens.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [PATCH 2/2] xwayland: set status for CVE-2024-21886
> 
> On Sunday, April 12, 2026 at 11:01 PM, Marko, Peter wrote:
> > > From: Benjamin Robin <benjamin.robin@bootlin.com>
> > > This should not be possible. With default configuration a manual
> > > annotation cannot be overwritten. sbom-cve-check directly use the
> > > annotation without any extra processing.
> >
> > I wonder what I'm doing wrong when using this new code for the first time...
> > When I got to the "new" CVE for ovmf, cve-metrics shows only CVE-2024-1298.
> > In my local build, I get all the CVEs (which are se to fixed-version in the recipe).
> >
> > RECIPE=ovmf; bitbake $RECIPE -c sbom_cve_check_recipe; jq -r '.package[] |
> select(.name == "'$RECIPE'") | .issue[]? | select(.status == "Unpatched") | .id'
> tmp/deploy/images/qemux86-64/$RECIPE-recipe-sbom.sbom-cve-check.yocto.json
> > CVE-2014-4859
> > CVE-2014-4860
> > CVE-2014-8271
> > CVE-2019-14553
> > CVE-2019-14559
> > CVE-2019-14562
> > CVE-2019-14563
> > CVE-2019-14575
> > CVE-2019-14586
> > CVE-2019-14587
> > CVE-2024-1298
> >
> > My local.conf is:
> > DISTRO = "poky"
> > INHERIT += "sbom-cve-check-recipe"
> > SRCREV:pn-sbom-cve-check-update-cvelist-native =
> "82e18eb3051039642ed8ec0b8eb15ea27dbbf52c"
> > include conf/distro/include/cve-extra-exclusions.inc
> 
> I still cannot reproduce your issue.
> Could you share these 2 files (by email and compressed, and maybe only to me):
>  - ovmf-recipe-sbom.spdx.json
>  - ovmf-recipe-sbom.sbom-cve-check.yocto.json
> 
> If you also have a KAS configuration file of your current setup, this will
> be great.

OK, now I found the missing piece (in sbom-cve-check fragment)
SPDX_INCLUDE_VEX = "all" is needed to pass the fixed-version flags.

Sorry for the noise, adopting new things takes sometimes lot of attempts.

> 
> --
> Benjamin Robin, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
> 
>