From: Benjamin Robin <benjamin.robin@bootlin.com>
To: "Marko, Peter" <Peter.Marko@siemens.com>
Cc: "openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH 1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517
Date: Thu, 30 Apr 2026 09:21:02 +0200 [thread overview]
Message-ID: <zu-eGewcQDqGgk84Tio0gA@bootlin.com> (raw)
In-Reply-To: <AS1PR10MB56972D5D144DE00D1F5838B3FD342@AS1PR10MB5697.EURPRD10.PROD.OUTLOOK.COM>
Hello Peter,
On Wednesday, April 29, 2026 at 7:13 PM, Marko, Peter wrote:
> > > Hello Benjamin,
> > >
> > > I will sent CVE_PRODUCT update to get rid of some older sudo-rs CVE.
> > >
> > > However for these two CVEs, I can still only see "sudo-rs" as product, not "sudo",
> > also via link you have provided from cveawg.org/api.
> >
> > Yes, but this is not a CPE. As explained previously (see the steps detailed
> > above in the previous email), using the vendor/product names extracted from
> > the associated field, we look in the products database for an associated CPE:
> > https://github.com/bootlin/sbom-cve-
> > check/blob/v1.3.0/src/sbom_cve_check/products/products.toml#L1688
>
> Thanks for the explanation.
> Finally, I'm starting to understand how some CVEs get assigned to components where I'd not expect them.
>
> How was that toml file created? Manual work?
> For sudo I think the table is correct (although I don't understand NVD motivation for that).
This is a mix of an automated script and of a manual work...
> However for SDL (CVE-2026-35444) it looks wrong:
> https://github.com/bootlin/sbom-cve-check/blob/v1.3.0/src/sbom_cve_check/products/products.toml#L1608
> Why does it map sdl and sdl_image and simple_directmedia_layer together?
> There are distinctive CPEs for both sdl and sdl_image in NVD DB...
From my understanding this was the same component, but it is clearly
not the case...
- https://nvd.nist.gov/vuln/detail/CVE-2019-7573 use this CPE
"cpe:2.3:a:libsdl:simple_directmedia_layer:*:*:*:*:*:*:*:*"
and refer to both SDL 1 and 2. The referenced code looks like it is:
https://github.com/libsdl-org/SDL/blob/main/src/audio/SDL_wave.c#L376
- https://nvd.nist.gov/vuln/detail/CVE-2008-0544 use this CPE
"cpe:2.3:a:sdl:sdl_image:1.2.6:*:*:*:*:*:*:*"
and refer to SDL_image 1. The referenced code looks like it is:
https://github.com/libsdl-org/SDL_image/blob/SDL-1.2/IMG_lbm.c
> Peter
I expected to make several mistakes. This is a first version, and it is
going to be improved and fixed in the long run (at least this was my plan).
--
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2026-04-30 7:21 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-26 18:50 [PATCH 1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517 Peter Marko
2026-04-26 18:50 ` [PATCH 2/6] cargo: set status of CVE-2023-40030 Peter Marko
2026-04-26 18:50 ` [PATCH 3/6] cargo: set CVE_PRODUCT Peter Marko
2026-04-26 18:50 ` [PATCH 4/6] git: set status of 5 CVEs Peter Marko
2026-04-26 18:50 ` [PATCH 5/6] ovmf: set status for 7 CVEs Peter Marko
2026-04-26 18:50 ` [PATCH 6/6] ffmpeg: set status for 5 CVEs Peter Marko
2026-04-27 7:44 ` Benjamin Robin
2026-04-27 10:07 ` Marko, Peter
2026-04-27 10:10 ` [PATCH v2] ffmpeg: set status for 4 CVEs Peter Marko
2026-04-27 16:40 ` Marko, Peter
2026-04-26 19:17 ` [PATCH 1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517 Marko, Peter
2026-04-27 7:12 ` Benjamin Robin
2026-04-28 16:51 ` Marko, Peter
2026-04-29 7:24 ` Benjamin Robin
2026-04-29 17:13 ` Marko, Peter
2026-04-30 7:21 ` Benjamin Robin [this message]
2026-04-30 7:32 ` Benjamin Robin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=zu-eGewcQDqGgk84Tio0gA@bootlin.com \
--to=benjamin.robin@bootlin.com \
--cc=Peter.Marko@siemens.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.