* [PATCH 1/6] xdg-utils: set status for CVE-2025-52968
@ 2026-04-13 21:14 Peter Marko
2026-04-13 21:14 ` [PATCH 2/6] wic: set CVE_PRODUCT Peter Marko
` (4 more replies)
0 siblings, 5 replies; 8+ messages in thread
From: Peter Marko @ 2026-04-13 21:14 UTC (permalink / raw)
To: openembedded-core; +Cc: Peter Marko
From: Peter Marko <peter.marko@siemens.com>
This CVE has tag "disputed", see [1].
[1] https://github.com/CVEProject/cvelistV5/blob/cve_2026-04-12_1800Z/cves/2025/52xxx/CVE-2025-52968.json#L91
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
index 3ee320da5a..e39a65831e 100644
--- a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
+++ b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
@@ -36,3 +36,5 @@ REQUIRED_DISTRO_FEATURES = "x11"
DEPENDS = "xmlto-native libxslt-native"
RDEPENDS:${PN} += "xprop"
+
+CVE_STATUS[CVE-2025-52968] = "disputed"
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH 2/6] wic: set CVE_PRODUCT 2026-04-13 21:14 [PATCH 1/6] xdg-utils: set status for CVE-2025-52968 Peter Marko @ 2026-04-13 21:14 ` Peter Marko 2026-04-13 21:14 ` [PATCH 3/6] tar: set status for CVE-2025-45582 Peter Marko ` (3 subsequent siblings) 4 siblings, 0 replies; 8+ messages in thread From: Peter Marko @ 2026-04-13 21:14 UTC (permalink / raw) To: openembedded-core; +Cc: Peter Marko From: Peter Marko <peter.marko@siemens.com> Current CVE reports show following CVE-2008-6713 as open. NVD shows CPE as massive_entertainment:wic ([1]). Set vendor as yoctoproject, which is best approximation of possible future CVEs as it is already used for other yocto repositories. [1] https://nvd.nist.gov/vuln/detail/CVE-2008-6713 Signed-off-by: Peter Marko <peter.marko@siemens.com> --- meta/recipes-support/wic/wic_0.3.0.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-support/wic/wic_0.3.0.bb b/meta/recipes-support/wic/wic_0.3.0.bb index a0a2773c76..c9732a359a 100644 --- a/meta/recipes-support/wic/wic_0.3.0.bb +++ b/meta/recipes-support/wic/wic_0.3.0.bb @@ -8,6 +8,9 @@ SRCREV = "5974ade11032f218841d9f449ef0efeee3f9a2ca" inherit python_hatchling +# do not report CVEs for other wic tools +CVE_PRODUCT = "yoctoproject:wic" + RDEPENDS:${PN} += " \ python3-core \ python3-json \ ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/6] tar: set status for CVE-2025-45582 2026-04-13 21:14 [PATCH 1/6] xdg-utils: set status for CVE-2025-52968 Peter Marko 2026-04-13 21:14 ` [PATCH 2/6] wic: set CVE_PRODUCT Peter Marko @ 2026-04-13 21:14 ` Peter Marko 2026-04-13 21:14 ` [PATCH 4/6] screen: set status for CVE-2025-46802 Peter Marko ` (2 subsequent siblings) 4 siblings, 0 replies; 8+ messages in thread From: Peter Marko @ 2026-04-13 21:14 UTC (permalink / raw) To: openembedded-core; +Cc: Peter Marko From: Peter Marko <peter.marko@siemens.com> This CVE is disputed by tar maintainers as documented in [1]. The same link is present in NVD and cvelistV5. Also Debian says "disputed" in [2]. [1] https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html [2] https://security-tracker.debian.org/tracker/CVE-2025-45582 Signed-off-by: Peter Marko <peter.marko@siemens.com> --- meta/recipes-extended/tar/tar_1.35.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-extended/tar/tar_1.35.bb b/meta/recipes-extended/tar/tar_1.35.bb index d463eff97d..042baa035c 100644 --- a/meta/recipes-extended/tar/tar_1.35.bb +++ b/meta/recipes-extended/tar/tar_1.35.bb @@ -95,6 +95,8 @@ BBCLASSEXTEND = "native nativesdk" # For example CVE-2021-{32803,32804,37701,37712,37713} CVE_PRODUCT = "gnu:tar" +CVE_STATUS[CVE-2025-45582] = "disputed" + # A test uses cmp to compare two 8GB files. Busybox's cmp does the job usually, but it is much slower than # diffutils' cmp, and the test times out when there is a high load on the host machine. RDEPENDS:${PN}-ptest += "diffutils" ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 4/6] screen: set status for CVE-2025-46802 2026-04-13 21:14 [PATCH 1/6] xdg-utils: set status for CVE-2025-52968 Peter Marko 2026-04-13 21:14 ` [PATCH 2/6] wic: set CVE_PRODUCT Peter Marko 2026-04-13 21:14 ` [PATCH 3/6] tar: set status for CVE-2025-45582 Peter Marko @ 2026-04-13 21:14 ` Peter Marko 2026-04-13 21:14 ` [PATCH 5/6] ovmf: set status for CVE-2024-1298 Peter Marko 2026-04-13 21:14 ` [PATCH 6/6] mpg123: set status for CVE-2006-3355 Peter Marko 4 siblings, 0 replies; 8+ messages in thread From: Peter Marko @ 2026-04-13 21:14 UTC (permalink / raw) To: openembedded-core; +Cc: Peter Marko From: Peter Marko <peter.marko@siemens.com> This CVE is showing in the new sbom CVE reports. It is fixed via [1] which is included in: $git tag --contains d10eb5b2f7eebaa347f09c010bd391373fdd1695 v.5.0.1 [1] https://cgit.git.savannah.gnu.org/cgit/screen.git/commit/?id=d10eb5b2f7eebaa347f09c010bd391373fdd1695 Signed-off-by: Peter Marko <peter.marko@siemens.com> --- meta/recipes-extended/screen/screen_5.0.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-extended/screen/screen_5.0.1.bb b/meta/recipes-extended/screen/screen_5.0.1.bb index 69f4098519..0155ece374 100644 --- a/meta/recipes-extended/screen/screen_5.0.1.bb +++ b/meta/recipes-extended/screen/screen_5.0.1.bb @@ -44,3 +44,5 @@ pkg_postinst:${PN} () { pkg_postrm:${PN} () { printf "$(grep -v "^${bindir}/screen$" $D${sysconfdir}/shells)\n" > $D${sysconfdir}/shells } + +CVE_STATUS[CVE-2025-46802] = "fixed-version: fixed since 5.0.1" ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 5/6] ovmf: set status for CVE-2024-1298 2026-04-13 21:14 [PATCH 1/6] xdg-utils: set status for CVE-2025-52968 Peter Marko ` (2 preceding siblings ...) 2026-04-13 21:14 ` [PATCH 4/6] screen: set status for CVE-2025-46802 Peter Marko @ 2026-04-13 21:14 ` Peter Marko 2026-04-13 21:14 ` [PATCH 6/6] mpg123: set status for CVE-2006-3355 Peter Marko 4 siblings, 0 replies; 8+ messages in thread From: Peter Marko @ 2026-04-13 21:14 UTC (permalink / raw) To: openembedded-core; +Cc: Peter Marko From: Peter Marko <peter.marko@siemens.com> cvelistV5 uses full tag name (edk2-stable202405) while NVD uses only version (202405). Since NVD CPE is not yet available, cvelistV5 marks it at not patched yet because the string sorts after the version. Signed-off-by: Peter Marko <peter.marko@siemens.com> --- meta/recipes-core/ovmf/ovmf_git.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index ec6c3b516c..150e2d47e0 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -45,6 +45,7 @@ CVE_STATUS[CVE-2019-14563] = "fixed-version: The CPE in the NVD database doesn't CVE_STATUS[CVE-2019-14575] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." CVE_STATUS[CVE-2019-14586] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." CVE_STATUS[CVE-2019-14587] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." +CVE_STATUS[CVE-2024-1298] = "fixed-version: fixed since edk2-stable202405" inherit deploy ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 6/6] mpg123: set status for CVE-2006-3355 2026-04-13 21:14 [PATCH 1/6] xdg-utils: set status for CVE-2025-52968 Peter Marko ` (3 preceding siblings ...) 2026-04-13 21:14 ` [PATCH 5/6] ovmf: set status for CVE-2024-1298 Peter Marko @ 2026-04-13 21:14 ` Peter Marko 2026-04-13 21:23 ` Marko, Peter 4 siblings, 1 reply; 8+ messages in thread From: Peter Marko @ 2026-04-13 21:14 UTC (permalink / raw) To: openembedded-core; +Cc: Peter Marko From: Peter Marko <peter.marko@siemens.com> This seems to be a bug in sbom-cve-check. I could get a clean report with following fkie change: "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:mpg123:mpg123:0.59r:*:*:*:*:*:*:*", + "matchCriteriaId": "1F8EEF7E-C6BB-4669-81D2-68AABF8A7686" + }, { "vulnerable": true, "criteria": "cpe:2.3:a:mpg123:mpg123:pre0.59s_r11:*:*:*:*:*:*:*", "matchCriteriaId": "9765C6AD-E1F0-421C-B7B1-C09AD83A3DB7" } ] However I'm not sure why adding another vulnerable version should switch the vulnerability flag from true to false... Signed-off-by: Peter Marko <peter.marko@siemens.com> --- meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb b/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb index 648eb21500..dd5f8a53f5 100644 --- a/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb +++ b/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb @@ -53,3 +53,5 @@ EXTRA_OECONF = " \ #| make[3]: *** [equalizer.lo] Error 1 ARM_INSTRUCTION_SET:armv4 = "arm" ARM_INSTRUCTION_SET:armv5 = "arm" + +CVE_STATUS[CVE-2006-3355] = "fixed-version: fixed since pre0.59s_r11" ^ permalink raw reply related [flat|nested] 8+ messages in thread
* RE: [PATCH 6/6] mpg123: set status for CVE-2006-3355 2026-04-13 21:14 ` [PATCH 6/6] mpg123: set status for CVE-2006-3355 Peter Marko @ 2026-04-13 21:23 ` Marko, Peter 2026-04-14 6:44 ` Benjamin Robin 0 siblings, 1 reply; 8+ messages in thread From: Marko, Peter @ 2026-04-13 21:23 UTC (permalink / raw) To: Benjamin Robin; +Cc: openembedded-core@lists.openembedded.org, Ross Burton Benjamin, This one is weird How can someone debug the sbom-cve-check script to figure out why the match is positive or negative? That would be great feature if there would be some option to print the comparisons. Peter > -----Original Message----- > From: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > Sent: Monday, April 13, 2026 11:15 PM > To: openembedded-core@lists.openembedded.org > Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > Subject: [PATCH 6/6] mpg123: set status for CVE-2006-3355 > > From: Peter Marko <peter.marko@siemens.com> > > This seems to be a bug in sbom-cve-check. > I could get a clean report with following fkie change: > > "cpeMatch": [ > + { > + "vulnerable": true, > + "criteria": "cpe:2.3:a:mpg123:mpg123:0.59r:*:*:*:*:*:*:*", > + "matchCriteriaId": "1F8EEF7E-C6BB-4669-81D2-68AABF8A7686" > + }, > { > "vulnerable": true, > "criteria": "cpe:2.3:a:mpg123:mpg123:pre0.59s_r11:*:*:*:*:*:*:*", > "matchCriteriaId": "9765C6AD-E1F0-421C-B7B1-C09AD83A3DB7" > } > ] > > However I'm not sure why adding another vulnerable version should switch > the vulnerability flag from true to false... > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > --- > meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb b/meta/recipes- > multimedia/mpg123/mpg123_1.33.4.bb > index 648eb21500..dd5f8a53f5 100644 > --- a/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb > +++ b/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb > @@ -53,3 +53,5 @@ EXTRA_OECONF = " \ > #| make[3]: *** [equalizer.lo] Error 1 > ARM_INSTRUCTION_SET:armv4 = "arm" > ARM_INSTRUCTION_SET:armv5 = "arm" > + > +CVE_STATUS[CVE-2006-3355] = "fixed-version: fixed since pre0.59s_r11" ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 6/6] mpg123: set status for CVE-2006-3355 2026-04-13 21:23 ` Marko, Peter @ 2026-04-14 6:44 ` Benjamin Robin 0 siblings, 0 replies; 8+ messages in thread From: Benjamin Robin @ 2026-04-14 6:44 UTC (permalink / raw) To: Marko, Peter; +Cc: openembedded-core@lists.openembedded.org, Ross Burton On Monday, April 13, 2026 at 11:23 PM, Marko, Peter wrote: > Benjamin, > > This one is weird > How can someone debug the sbom-cve-check script to figure out why the match is positive or negative? > That would be great feature if there would be some option to print the comparisons. Yeah, this is in the backlog, sbom-cve-check should have an "audit log". But this is not that simple, and I have other priorities :) > Peter > > From: Peter Marko <peter.marko@siemens.com> > > > > This seems to be a bug in sbom-cve-check. > > I could get a clean report with following fkie change: > > > > "cpeMatch": [ > > + { > > + "vulnerable": true, > > + "criteria": "cpe:2.3:a:mpg123:mpg123:0.59r:*:*:*:*:*:*:*", > > + "matchCriteriaId": "1F8EEF7E-C6BB-4669-81D2-68AABF8A7686" > > + }, > > { > > "vulnerable": true, > > "criteria": "cpe:2.3:a:mpg123:mpg123:pre0.59s_r11:*:*:*:*:*:*:*", > > "matchCriteriaId": "9765C6AD-E1F0-421C-B7B1-C09AD83A3DB7" > > } > > ] The algorithm is described here: https://sbom-cve-check.readthedocs.io/en/latest/design.html#compute-vex-assessment But in summary, the CVE is found "applicable" (associated with mpg123 component), but no valide version range was found (pre0.59s_r11 is not a valid version). So as documented: "In the end if no assessment could be computed, generate a default assessment indicating that databases do not contain enough version information. This default assessment considers that the component is affected (vulnerable) by this CVE". > > > > However I'm not sure why adding another vulnerable version should switch > > the vulnerability flag from true to false... Adding a new valid cpeMatch entry is going to fix it. But maybe not exactly this one, I guess we need to express that version range <= 0.59 For information, I am currently working on a big improvement for the generation of VEX assessment (statement and status notes). -- Benjamin Robin, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2026-04-14 6:44 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-04-13 21:14 [PATCH 1/6] xdg-utils: set status for CVE-2025-52968 Peter Marko 2026-04-13 21:14 ` [PATCH 2/6] wic: set CVE_PRODUCT Peter Marko 2026-04-13 21:14 ` [PATCH 3/6] tar: set status for CVE-2025-45582 Peter Marko 2026-04-13 21:14 ` [PATCH 4/6] screen: set status for CVE-2025-46802 Peter Marko 2026-04-13 21:14 ` [PATCH 5/6] ovmf: set status for CVE-2024-1298 Peter Marko 2026-04-13 21:14 ` [PATCH 6/6] mpg123: set status for CVE-2006-3355 Peter Marko 2026-04-13 21:23 ` Marko, Peter 2026-04-14 6:44 ` Benjamin Robin
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox