[PATCH 1/6] xdg-utils: set status for CVE-2025-52968

[PATCH 1/6] xdg-utils: set status for CVE-2025-52968

[Peter Marko]

From: Peter Marko <peter.marko@siemens.com>

This CVE has tag "disputed", see [1].

[1] https://github.com/CVEProject/cvelistV5/blob/cve_2026-04-12_1800Z/cves/2025/52xxx/CVE-2025-52968.json#L91

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
index 3ee320da5a..e39a65831e 100644
--- a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
+++ b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
@@ -36,3 +36,5 @@ REQUIRED_DISTRO_FEATURES = "x11"
 
 DEPENDS = "xmlto-native libxslt-native"
 RDEPENDS:${PN} += "xprop"
+
+CVE_STATUS[CVE-2025-52968] = "disputed"

[PATCH 2/6] wic: set CVE_PRODUCT

[Peter Marko]

From: Peter Marko <peter.marko@siemens.com>

Current CVE reports show following CVE-2008-6713 as open.
NVD shows CPE as massive_entertainment:wic ([1]).

Set vendor as yoctoproject, which is best approximation of possible
future CVEs as it is already used for other yocto repositories.

[1] https://nvd.nist.gov/vuln/detail/CVE-2008-6713

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-support/wic/wic_0.3.0.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-support/wic/wic_0.3.0.bb b/meta/recipes-support/wic/wic_0.3.0.bb
index a0a2773c76..c9732a359a 100644
--- a/meta/recipes-support/wic/wic_0.3.0.bb
+++ b/meta/recipes-support/wic/wic_0.3.0.bb
@@ -8,6 +8,9 @@ SRCREV = "5974ade11032f218841d9f449ef0efeee3f9a2ca"
 
 inherit python_hatchling
 
+# do not report CVEs for other wic tools
+CVE_PRODUCT = "yoctoproject:wic"
+
 RDEPENDS:${PN} += " \
     python3-core \
     python3-json \

[PATCH 3/6] tar: set status for CVE-2025-45582

[Peter Marko]

From: Peter Marko <peter.marko@siemens.com>

This CVE is disputed by tar maintainers as documented in [1].
The same link is present in NVD and cvelistV5.
Also Debian says "disputed" in [2].

[1] https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
[2] https://security-tracker.debian.org/tracker/CVE-2025-45582

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-extended/tar/tar_1.35.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-extended/tar/tar_1.35.bb b/meta/recipes-extended/tar/tar_1.35.bb
index d463eff97d..042baa035c 100644
--- a/meta/recipes-extended/tar/tar_1.35.bb
+++ b/meta/recipes-extended/tar/tar_1.35.bb
@@ -95,6 +95,8 @@ BBCLASSEXTEND = "native nativesdk"
 # For example CVE-2021-{32803,32804,37701,37712,37713}
 CVE_PRODUCT = "gnu:tar"
 
+CVE_STATUS[CVE-2025-45582] = "disputed"
+
 # A test uses cmp to compare two 8GB files. Busybox's cmp does the job usually, but it is much slower than
 # diffutils' cmp, and the test times out when there is a high load on the host machine.
 RDEPENDS:${PN}-ptest += "diffutils"

[PATCH 4/6] screen: set status for CVE-2025-46802

[Peter Marko]

From: Peter Marko <peter.marko@siemens.com>

This CVE is showing in the new sbom CVE reports.
It is fixed via [1] which is included in:

$git tag --contains d10eb5b2f7eebaa347f09c010bd391373fdd1695
v.5.0.1

[1] https://cgit.git.savannah.gnu.org/cgit/screen.git/commit/?id=d10eb5b2f7eebaa347f09c010bd391373fdd1695

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-extended/screen/screen_5.0.1.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-extended/screen/screen_5.0.1.bb b/meta/recipes-extended/screen/screen_5.0.1.bb
index 69f4098519..0155ece374 100644
--- a/meta/recipes-extended/screen/screen_5.0.1.bb
+++ b/meta/recipes-extended/screen/screen_5.0.1.bb
@@ -44,3 +44,5 @@ pkg_postinst:${PN} () {
 pkg_postrm:${PN} () {
 	printf "$(grep -v "^${bindir}/screen$" $D${sysconfdir}/shells)\n" > $D${sysconfdir}/shells
 }
+
+CVE_STATUS[CVE-2025-46802] = "fixed-version: fixed since 5.0.1"

[PATCH 5/6] ovmf: set status for CVE-2024-1298

[Peter Marko]

From: Peter Marko <peter.marko@siemens.com>

cvelistV5 uses full tag name (edk2-stable202405) while NVD uses only
version (202405).
Since NVD CPE is not yet available, cvelistV5 marks it at not patched
yet because the string sorts after the version.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-core/ovmf/ovmf_git.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index ec6c3b516c..150e2d47e0 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -45,6 +45,7 @@ CVE_STATUS[CVE-2019-14563] = "fixed-version: The CPE in the NVD database doesn't
 CVE_STATUS[CVE-2019-14575] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
 CVE_STATUS[CVE-2019-14586] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
 CVE_STATUS[CVE-2019-14587] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
+CVE_STATUS[CVE-2024-1298] = "fixed-version: fixed since edk2-stable202405"
 
 inherit deploy
 

[PATCH 6/6] mpg123: set status for CVE-2006-3355

[Peter Marko]

From: Peter Marko <peter.marko@siemens.com>

This seems to be a bug in sbom-cve-check.
I could get a clean report with following fkie change:

           "cpeMatch": [
+            {
+              "vulnerable": true,
+              "criteria": "cpe:2.3:a:mpg123:mpg123:0.59r:*:*:*:*:*:*:*",
+              "matchCriteriaId": "1F8EEF7E-C6BB-4669-81D2-68AABF8A7686"
+            },
             {
               "vulnerable": true,
               "criteria": "cpe:2.3:a:mpg123:mpg123:pre0.59s_r11:*:*:*:*:*:*:*",
               "matchCriteriaId": "9765C6AD-E1F0-421C-B7B1-C09AD83A3DB7"
             }
           ]

However I'm not sure why adding another vulnerable version should switch
the vulnerability flag from true to false...

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb b/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb
index 648eb21500..dd5f8a53f5 100644
--- a/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb
+++ b/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb
@@ -53,3 +53,5 @@ EXTRA_OECONF = " \
 #| make[3]: *** [equalizer.lo] Error 1
 ARM_INSTRUCTION_SET:armv4 = "arm"
 ARM_INSTRUCTION_SET:armv5 = "arm"
+
+CVE_STATUS[CVE-2006-3355] = "fixed-version: fixed since pre0.59s_r11"

RE: [PATCH 6/6] mpg123: set status for CVE-2006-3355

[Marko, Peter]

Benjamin,

This one is weird
How can someone debug the sbom-cve-check script to figure out why the match is positive or negative?
That would be great feature if there would be some option to print the comparisons.

Peter

> -----Original Message-----
> From: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Sent: Monday, April 13, 2026 11:15 PM
> To: openembedded-core@lists.openembedded.org
> Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Subject: [PATCH 6/6] mpg123: set status for CVE-2006-3355
> 
> From: Peter Marko <peter.marko@siemens.com>
> 
> This seems to be a bug in sbom-cve-check.
> I could get a clean report with following fkie change:
> 
>            "cpeMatch": [
> +            {
> +              "vulnerable": true,
> +              "criteria": "cpe:2.3:a:mpg123:mpg123:0.59r:*:*:*:*:*:*:*",
> +              "matchCriteriaId": "1F8EEF7E-C6BB-4669-81D2-68AABF8A7686"
> +            },
>              {
>                "vulnerable": true,
>                "criteria": "cpe:2.3:a:mpg123:mpg123:pre0.59s_r11:*:*:*:*:*:*:*",
>                "matchCriteriaId": "9765C6AD-E1F0-421C-B7B1-C09AD83A3DB7"
>              }
>            ]
> 
> However I'm not sure why adding another vulnerable version should switch
> the vulnerability flag from true to false...
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb b/meta/recipes-
> multimedia/mpg123/mpg123_1.33.4.bb
> index 648eb21500..dd5f8a53f5 100644
> --- a/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb
> +++ b/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb
> @@ -53,3 +53,5 @@ EXTRA_OECONF = " \
>  #| make[3]: *** [equalizer.lo] Error 1
>  ARM_INSTRUCTION_SET:armv4 = "arm"
>  ARM_INSTRUCTION_SET:armv5 = "arm"
> +
> +CVE_STATUS[CVE-2006-3355] = "fixed-version: fixed since pre0.59s_r11"

Re: [PATCH 6/6] mpg123: set status for CVE-2006-3355

[Benjamin Robin]

On Monday, April 13, 2026 at 11:23 PM, Marko, Peter wrote:
> Benjamin,
> 
> This one is weird
> How can someone debug the sbom-cve-check script to figure out why the match is positive or negative?
> That would be great feature if there would be some option to print the comparisons.

Yeah, this is in the backlog, sbom-cve-check should have an "audit log".
But this is not that simple, and I have other priorities :)

> Peter

> > From: Peter Marko <peter.marko@siemens.com>
> > 
> > This seems to be a bug in sbom-cve-check.
> > I could get a clean report with following fkie change:
> > 
> >            "cpeMatch": [
> > +            {
> > +              "vulnerable": true,
> > +              "criteria": "cpe:2.3:a:mpg123:mpg123:0.59r:*:*:*:*:*:*:*",
> > +              "matchCriteriaId": "1F8EEF7E-C6BB-4669-81D2-68AABF8A7686"
> > +            },
> >              {
> >                "vulnerable": true,
> >                "criteria": "cpe:2.3:a:mpg123:mpg123:pre0.59s_r11:*:*:*:*:*:*:*",
> >                "matchCriteriaId": "9765C6AD-E1F0-421C-B7B1-C09AD83A3DB7"
> >              }
> >            ]

The algorithm is described here:
https://sbom-cve-check.readthedocs.io/en/latest/design.html#compute-vex-assessment

But in summary, the CVE is found "applicable" (associated with mpg123 component),
but no valide version range was found (pre0.59s_r11 is not a valid version).
So as documented: "In the end if no assessment could be computed, generate a
default assessment indicating that databases do not contain enough version
information. This default assessment considers that the component is affected
(vulnerable) by this CVE".

> > 
> > However I'm not sure why adding another vulnerable version should switch
> > the vulnerability flag from true to false...

Adding a new valid cpeMatch entry is going to fix it. But maybe not exactly
this one, I guess we need to express that version range <= 0.59

For information, I am currently working on a big improvement for the
generation of VEX assessment (statement and status notes).

-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com