Openembedded Core Discussions
 help / color / mirror / Atom feed
* [PATCH 1/4] python3-cryptography: set CVE_PRODUCT
@ 2026-07-10  7:43 mark.yang
  2026-07-10  7:43 ` [PATCH 2/4] python3-ply: set CVE_PRODUCT and CVE_STATUS for CVE-2025-56005 as disputed mark.yang
                   ` (3 more replies)
  0 siblings, 4 replies; 7+ messages in thread
From: mark.yang @ 2026-07-10  7:43 UTC (permalink / raw)
  To: openembedded-core; +Cc: mark.yang

From: "mark.yang" <mark.yang@lge.com>

NVD lists it as cryptography.io:cryptography,
and CNA lists it as pyca:cryptography, so CVE_PRODUCT is set to cryptography.

Signed-off-by: mark.yang <mark.yang@lge.com>
---
 meta/recipes-devtools/python/python3-cryptography.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-devtools/python/python3-cryptography.bb b/meta/recipes-devtools/python/python3-cryptography.bb
index 4730c34997..6138028d55 100644
--- a/meta/recipes-devtools/python/python3-cryptography.bb
+++ b/meta/recipes-devtools/python/python3-cryptography.bb
@@ -71,4 +71,6 @@ do_install_ptest() {
     cp -r ${S}/pyproject.toml ${D}${PTEST_PATH}/
 }
 
+CVE_PRODUCT = "cryptography"
+
 BBCLASSEXTEND = "native nativesdk"


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [PATCH 2/4] python3-ply: set CVE_PRODUCT and CVE_STATUS for CVE-2025-56005 as disputed
  2026-07-10  7:43 [PATCH 1/4] python3-cryptography: set CVE_PRODUCT mark.yang
@ 2026-07-10  7:43 ` mark.yang
  2026-07-13 16:24   ` [OE-core] " Paul Barker
  2026-07-10  7:43 ` [PATCH 3/4] python3-pyasn1: set CVE_PRODUCT mark.yang
                   ` (2 subsequent siblings)
  3 siblings, 1 reply; 7+ messages in thread
From: mark.yang @ 2026-07-10  7:43 UTC (permalink / raw)
  To: openembedded-core; +Cc: mark.yang

From: "mark.yang" <mark.yang@lge.com>

For python3-ply, the CVE_PRODUCT should be set to ply, not python:ply.
NVD registers ply as dabeaz:ply, so the default python:ply vendor prefix never matches and no CVEs are reported.

CVE-2025-56005 is disputed.
See https://nvd.nist.gov/vuln/detail/CVE-2025-56005

Signed-off-by: mark.yang <mark.yang@lge.com>
---
 meta/recipes-devtools/python/python3-ply_3.11.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-devtools/python/python3-ply_3.11.bb b/meta/recipes-devtools/python/python3-ply_3.11.bb
index 2c5fa3f215..ce45bbc1bd 100644
--- a/meta/recipes-devtools/python/python3-ply_3.11.bb
+++ b/meta/recipes-devtools/python/python3-ply_3.11.bb
@@ -14,4 +14,8 @@ RDEPENDS:${PN}:class-target += "\
     python3-shell \
 "
 
+CVE_PRODUCT = "ply"
+# https://nvd.nist.gov/vuln/detail/CVE-2025-56005 Disputed
+CVE_STATUS[CVE-2025-56005] = "disputed: PoC fails to demonstrate code execution; picklefile is a developer-controlled parser-table cache parameter"
+
 BBCLASSEXTEND = "native nativesdk"


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [PATCH 3/4] python3-pyasn1: set CVE_PRODUCT
  2026-07-10  7:43 [PATCH 1/4] python3-cryptography: set CVE_PRODUCT mark.yang
  2026-07-10  7:43 ` [PATCH 2/4] python3-ply: set CVE_PRODUCT and CVE_STATUS for CVE-2025-56005 as disputed mark.yang
@ 2026-07-10  7:43 ` mark.yang
  2026-07-13 17:14   ` [OE-core] " Ross Burton
  2026-07-10  7:43 ` [PATCH 4/4] libx11-compose-data: set CVE_PRODUCT to empty value mark.yang
  2026-07-13 17:15 ` [OE-core] [PATCH 1/4] python3-cryptography: set CVE_PRODUCT Ross Burton
  3 siblings, 1 reply; 7+ messages in thread
From: mark.yang @ 2026-07-10  7:43 UTC (permalink / raw)
  To: openembedded-core; +Cc: mark.yang

From: "mark.yang" <mark.yang@lge.com>

Set the product to pyasn1.

The default python:pyasn1 does not match the NVD/CNA entries which use pyasn1 as vendor, so CVEs like CVE-2026-30922
are never reported.

Signed-off-by: mark.yang <mark.yang@lge.com>
---
 meta/recipes-devtools/python/python3-pyasn1_0.6.3.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-devtools/python/python3-pyasn1_0.6.3.bb b/meta/recipes-devtools/python/python3-pyasn1_0.6.3.bb
index fb572d9da4..ee3cfc9813 100644
--- a/meta/recipes-devtools/python/python3-pyasn1_0.6.3.bb
+++ b/meta/recipes-devtools/python/python3-pyasn1_0.6.3.bb
@@ -14,4 +14,6 @@ RDEPENDS:${PN}:class-target += " \
     python3-shell \
 "
 
+CVE_PRODUCT = "pyasn1"
+
 BBCLASSEXTEND = "native nativesdk"


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [PATCH 4/4] libx11-compose-data: set CVE_PRODUCT to empty value
  2026-07-10  7:43 [PATCH 1/4] python3-cryptography: set CVE_PRODUCT mark.yang
  2026-07-10  7:43 ` [PATCH 2/4] python3-ply: set CVE_PRODUCT and CVE_STATUS for CVE-2025-56005 as disputed mark.yang
  2026-07-10  7:43 ` [PATCH 3/4] python3-pyasn1: set CVE_PRODUCT mark.yang
@ 2026-07-10  7:43 ` mark.yang
  2026-07-13 17:15 ` [OE-core] [PATCH 1/4] python3-cryptography: set CVE_PRODUCT Ross Burton
  3 siblings, 0 replies; 7+ messages in thread
From: mark.yang @ 2026-07-10  7:43 UTC (permalink / raw)
  To: openembedded-core; +Cc: mark.yang

From: "mark.yang" <mark.yang@lge.com>

This recipe only builds and installs the compose data files (nls/) from
the libX11 sources and contains no compiled libX11 code, so libx11 CVEs
do not apply to it. When the x11 DISTRO_FEATURE is enabled this recipe
is skipped and libx11 itself is built and scanned instead.

Referred glibc-locale case:
https://github.com/openembedded/openembedded-core/commit/1f9a963b9ff7ebe052ba54b9fcbdf7d09478dd17

Signed-off-by: mark.yang <mark.yang@lge.com>
---
 .../recipes-graphics/xorg-lib/libx11-compose-data_1.8.12.bb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.12.bb b/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.12.bb
index 562a8cbf16..4bf9f07aba 100644
--- a/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.12.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.12.bb
@@ -29,3 +29,9 @@ do_install() {
 PACKAGES = "${PN}"
 
 FILES:${PN} = "${datadir}/X11/locale ${libdir}/X11/locale"
+
+# This recipe only builds and installs the compose data files (nls/) from
+# the libX11 sources and contains no compiled libX11 code, so libx11 CVEs
+# do not apply to it. When the x11 DISTRO_FEATURE is enabled this recipe
+# is skipped and libx11 itself is built and scanned instead.
+CVE_PRODUCT = ""


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [OE-core] [PATCH 2/4] python3-ply: set CVE_PRODUCT and CVE_STATUS for CVE-2025-56005 as disputed
  2026-07-10  7:43 ` [PATCH 2/4] python3-ply: set CVE_PRODUCT and CVE_STATUS for CVE-2025-56005 as disputed mark.yang
@ 2026-07-13 16:24   ` Paul Barker
  0 siblings, 0 replies; 7+ messages in thread
From: Paul Barker @ 2026-07-13 16:24 UTC (permalink / raw)
  To: mark.yang, openembedded-core

[-- Attachment #1: Type: text/plain, Size: 1847 bytes --]

On Fri, 2026-07-10 at 16:43 +0900, mark.yang via lists.openembedded.org
wrote:
> From: "mark.yang" <mark.yang@lge.com>
> 
> For python3-ply, the CVE_PRODUCT should be set to ply, not python:ply.
> NVD registers ply as dabeaz:ply, so the default python:ply vendor prefix never matches and no CVEs are reported.
> 
> CVE-2025-56005 is disputed.
> See https://nvd.nist.gov/vuln/detail/CVE-2025-56005
> 
> Signed-off-by: mark.yang <mark.yang@lge.com>
> ---
>  meta/recipes-devtools/python/python3-ply_3.11.bb | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/meta/recipes-devtools/python/python3-ply_3.11.bb b/meta/recipes-devtools/python/python3-ply_3.11.bb
> index 2c5fa3f215..ce45bbc1bd 100644
> --- a/meta/recipes-devtools/python/python3-ply_3.11.bb
> +++ b/meta/recipes-devtools/python/python3-ply_3.11.bb
> @@ -14,4 +14,8 @@ RDEPENDS:${PN}:class-target += "\
>      python3-shell \
>  "
>  
> +CVE_PRODUCT = "ply"
> +# https://nvd.nist.gov/vuln/detail/CVE-2025-56005 Disputed
> +CVE_STATUS[CVE-2025-56005] = "disputed: PoC fails to demonstrate code execution; picklefile is a developer-controlled parser-table cache parameter"
> +

Hi,

The NVD entry [1] says:

  A third-party states that this vulnerability should be rejected
  because the proof of concept does not demonstrate arbitrary code
  execution and fails to complete successfully.

Following the links in the NVD entry I see what I assume is the argument
to dispute this [2] and an argument to dispute the dispute [3]. It's not
very convincing to me. I think we need a more clear reason why we want
to ignore this CVE.

[1]: https://nvd.nist.gov/vuln/detail/CVE-2025-56005
[2]: https://github.com/tom025/ply_exploit_rejection
[3]: https://www.openwall.com/lists/oss-security/2026/01/29/1

Best regards,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [OE-core] [PATCH 3/4] python3-pyasn1: set CVE_PRODUCT
  2026-07-10  7:43 ` [PATCH 3/4] python3-pyasn1: set CVE_PRODUCT mark.yang
@ 2026-07-13 17:14   ` Ross Burton
  0 siblings, 0 replies; 7+ messages in thread
From: Ross Burton @ 2026-07-13 17:14 UTC (permalink / raw)
  To: mark.yang@lge.com; +Cc: openembedded-core@lists.openembedded.org

On 10 Jul 2026, at 08:43, mark.yang via lists.openembedded.org <mark.yang=lge.com@lists.openembedded.org> wrote:
> The default python:pyasn1 does not match the NVD/CNA entries which use pyasn1 as vendor, so CVEs like CVE-2026-30922
> are never reported.

Where we know the exact CPE that is used, we should use it.  Can you set CVE_PRODUCT to pyasn1:pyasn1 instead.

Ross

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [OE-core] [PATCH 1/4] python3-cryptography: set CVE_PRODUCT
  2026-07-10  7:43 [PATCH 1/4] python3-cryptography: set CVE_PRODUCT mark.yang
                   ` (2 preceding siblings ...)
  2026-07-10  7:43 ` [PATCH 4/4] libx11-compose-data: set CVE_PRODUCT to empty value mark.yang
@ 2026-07-13 17:15 ` Ross Burton
  3 siblings, 0 replies; 7+ messages in thread
From: Ross Burton @ 2026-07-13 17:15 UTC (permalink / raw)
  To: mark.yang@lge.com; +Cc: openembedded-core@lists.openembedded.org

On 10 Jul 2026, at 08:43, mark.yang via lists.openembedded.org <mark.yang=lge.com@lists.openembedded.org> wrote:
> NVD lists it as cryptography.io:cryptography,
> and CNA lists it as pyca:cryptography, so CVE_PRODUCT is set to cryptography.

“cryptography” is vague and will no doubt cause false-positives in the future, and CVE_PRODUCT is actually a list, so setting it to "cryptography.io:cryptography pyca:cryptography” will match correctly and precisely.

Ross

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2026-07-13 17:16 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-10  7:43 [PATCH 1/4] python3-cryptography: set CVE_PRODUCT mark.yang
2026-07-10  7:43 ` [PATCH 2/4] python3-ply: set CVE_PRODUCT and CVE_STATUS for CVE-2025-56005 as disputed mark.yang
2026-07-13 16:24   ` [OE-core] " Paul Barker
2026-07-10  7:43 ` [PATCH 3/4] python3-pyasn1: set CVE_PRODUCT mark.yang
2026-07-13 17:14   ` [OE-core] " Ross Burton
2026-07-10  7:43 ` [PATCH 4/4] libx11-compose-data: set CVE_PRODUCT to empty value mark.yang
2026-07-13 17:15 ` [OE-core] [PATCH 1/4] python3-cryptography: set CVE_PRODUCT Ross Burton

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox