Re: [PATCH 1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Benjamin Robin <benjamin.robin@bootlin.com>
To: "Marko, Peter" <Peter.Marko@siemens.com>
Cc: "openembedded-core@lists.openembedded.org"
	<openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH 1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517
Date: Mon, 27 Apr 2026 09:12:50 +0200	[thread overview]
Message-ID: <RRV3rhtPRj-XxHaMgbEl5A@bootlin.com> (raw)
In-Reply-To: <AS1PR10MB56977CF6AB8F681734EAD75DFD292@AS1PR10MB5697.EURPRD10.PROD.OUTLOOK.COM>

On Sunday, April 26, 2026 at 9:17 PM, Marko, Peter wrote:
> 
> > -----Original Message-----
> > From: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> > Sent: Sunday, April 26, 2026 8:50 PM
> > To: openembedded-core@lists.openembedded.org
> > Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> > Subject: [PATCH 1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517
> > 
> > From: Peter Marko <peter.marko@siemens.com>
> > 
> > These CVEs are for sudo-rs, not sudo.
> > It can be easily deducted from first word in NVD descripotion.
> > Also cvelistV5 product is "sudo-re".
> > 
> > It looks line that new version of sbom-cve-check matches product with
> > startsWith instead of equals?
> 
> Benjamin, any idea about this topic?

Yes, sadly the CPE of sudo-rs is trifectatech:sudo.
Why this is the official CPE of sudo-rs, I don't know...

What it is happening:
 - From https://cveawg.mitre.org/api/cve/CVE-2025-64170
   we extract vendor and product name, then we look the products database
   which is built in sbom-cve-check.
 - The returned CPE are "memorysafety:sudo", "trifectatech:sudo"
 - Then we check if the CPE in the SBOM matches with these CPE.
   Currently sudo is declared as: *:sudo, which matches trifectatech:sudo.

The easy fix is to declare the proper CPE of sudo using CVE_PRODUCT,
which should be set to "sudo_project:sudo".

This behavior is documented here:
https://sbom-cve-check.readthedocs.io/en/latest/design.html#find-applicable-cve

> 
> > 
> > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > ---
> >  meta/recipes-extended/sudo/sudo_1.9.17p2.bb | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/meta/recipes-extended/sudo/sudo_1.9.17p2.bb b/meta/recipes-
> > extended/sudo/sudo_1.9.17p2.bb
> > index d6ee881f8c..12f81c5d4a 100644
> > --- a/meta/recipes-extended/sudo/sudo_1.9.17p2.bb
> > +++ b/meta/recipes-extended/sudo/sudo_1.9.17p2.bb
> > @@ -60,3 +60,6 @@ RDEPENDS:${PN} += "${SUDO_PACKAGES}"
> > 
> >  FILES:${PN}-sudo = "${bindir}/sudo ${bindir}/sudoedit"
> >  FILES:${PN}-lib = "${localstatedir} ${libexecdir} ${sysconfdir} ${libdir}
> > ${nonarch_libdir}"
> > +
> > +CVE_STATUS[CVE-2025-64170] = "cpe-incorrect: this CVE is for sudo-rs"
> > +CVE_STATUS[CVE-2025-64517] = "cpe-incorrect: this CVE is for sudo-rs"
> 


-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

next prev parent reply	other threads:[~2026-04-27  7:13 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-26 18:50 [PATCH 1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517 Peter Marko
2026-04-26 18:50 ` [PATCH 2/6] cargo: set status of CVE-2023-40030 Peter Marko
2026-04-26 18:50 ` [PATCH 3/6] cargo: set CVE_PRODUCT Peter Marko
2026-04-26 18:50 ` [PATCH 4/6] git: set status of 5 CVEs Peter Marko
2026-04-26 18:50 ` [PATCH 5/6] ovmf: set status for 7 CVEs Peter Marko
2026-04-26 18:50 ` [PATCH 6/6] ffmpeg: set status for 5 CVEs Peter Marko
2026-04-27  7:44   ` Benjamin Robin
2026-04-27 10:07     ` Marko, Peter
2026-04-27 10:10   ` [PATCH v2] ffmpeg: set status for 4 CVEs Peter Marko
2026-04-27 16:40     ` Marko, Peter
2026-04-26 19:17 ` [PATCH 1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517 Marko, Peter
2026-04-27  7:12   ` Benjamin Robin [this message]
2026-04-28 16:51     ` Marko, Peter
2026-04-29  7:24       ` Benjamin Robin
2026-04-29 17:13         ` Marko, Peter
2026-04-30  7:21           ` Benjamin Robin
2026-04-30  7:32             ` Benjamin Robin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=RRV3rhtPRj-XxHaMgbEl5A@bootlin.com \
    --to=benjamin.robin@bootlin.com \
    --cc=Peter.Marko@siemens.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.