Openembedded Core Discussions
 help / color / mirror / Atom feed
From: Paul Barker <paul@pbarker.dev>
To: mark.yang@lge.com, openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH 2/4] python3-ply: set CVE_PRODUCT and CVE_STATUS for CVE-2025-56005 as disputed
Date: Mon, 13 Jul 2026 17:24:39 +0100	[thread overview]
Message-ID: <56fd0d75fa3ab81dd52b4e792284e029d2d92f51.camel@pbarker.dev> (raw)
In-Reply-To: <20260710074415.3341616-2-mark.yang@lge.com>

[-- Attachment #1: Type: text/plain, Size: 1847 bytes --]

On Fri, 2026-07-10 at 16:43 +0900, mark.yang via lists.openembedded.org
wrote:
> From: "mark.yang" <mark.yang@lge.com>
> 
> For python3-ply, the CVE_PRODUCT should be set to ply, not python:ply.
> NVD registers ply as dabeaz:ply, so the default python:ply vendor prefix never matches and no CVEs are reported.
> 
> CVE-2025-56005 is disputed.
> See https://nvd.nist.gov/vuln/detail/CVE-2025-56005
> 
> Signed-off-by: mark.yang <mark.yang@lge.com>
> ---
>  meta/recipes-devtools/python/python3-ply_3.11.bb | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/meta/recipes-devtools/python/python3-ply_3.11.bb b/meta/recipes-devtools/python/python3-ply_3.11.bb
> index 2c5fa3f215..ce45bbc1bd 100644
> --- a/meta/recipes-devtools/python/python3-ply_3.11.bb
> +++ b/meta/recipes-devtools/python/python3-ply_3.11.bb
> @@ -14,4 +14,8 @@ RDEPENDS:${PN}:class-target += "\
>      python3-shell \
>  "
>  
> +CVE_PRODUCT = "ply"
> +# https://nvd.nist.gov/vuln/detail/CVE-2025-56005 Disputed
> +CVE_STATUS[CVE-2025-56005] = "disputed: PoC fails to demonstrate code execution; picklefile is a developer-controlled parser-table cache parameter"
> +

Hi,

The NVD entry [1] says:

  A third-party states that this vulnerability should be rejected
  because the proof of concept does not demonstrate arbitrary code
  execution and fails to complete successfully.

Following the links in the NVD entry I see what I assume is the argument
to dispute this [2] and an argument to dispute the dispute [3]. It's not
very convincing to me. I think we need a more clear reason why we want
to ignore this CVE.

[1]: https://nvd.nist.gov/vuln/detail/CVE-2025-56005
[2]: https://github.com/tom025/ply_exploit_rejection
[3]: https://www.openwall.com/lists/oss-security/2026/01/29/1

Best regards,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

  reply	other threads:[~2026-07-13 16:24 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-10  7:43 [PATCH 1/4] python3-cryptography: set CVE_PRODUCT mark.yang
2026-07-10  7:43 ` [PATCH 2/4] python3-ply: set CVE_PRODUCT and CVE_STATUS for CVE-2025-56005 as disputed mark.yang
2026-07-13 16:24   ` Paul Barker [this message]
2026-07-10  7:43 ` [PATCH 3/4] python3-pyasn1: set CVE_PRODUCT mark.yang
2026-07-13 17:14   ` [OE-core] " Ross Burton
2026-07-10  7:43 ` [PATCH 4/4] libx11-compose-data: set CVE_PRODUCT to empty value mark.yang
2026-07-13 17:15 ` [OE-core] [PATCH 1/4] python3-cryptography: set CVE_PRODUCT Ross Burton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56fd0d75fa3ab81dd52b4e792284e029d2d92f51.camel@pbarker.dev \
    --to=paul@pbarker.dev \
    --cc=mark.yang@lge.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox