[PATCH scarthgap 0/3] meta: Backport rejected CVEs and SPDX3 fixes

[PATCH scarthgap 0/3] meta: Backport rejected CVEs and SPDX3 fixes

[Benjamin Robin (Schneider Electric)]

This series backports three patches from `master` to `Scarthgap`.

Removed references to rejected CVEs:
 - Removed references to `CVE-2025-62813` and `CVE-2021-3502` in patch
   files, as these CVEs have been rejected.
 - This change prevents rejected CVE references from appearing in the
   generated SBOM.

Fixed kernel `CONFIG_` generation in SPDX3:
 - Backported a fix for the generation of kernel `CONFIG_` values in
   SPDX3 output.
 - This is a important fix, as the generated SBOM file might otherwise
   randomly omit kernel `CONFIG_` values.

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
Benjamin Robin (Schneider Electric) (3):
      avahi: Remove a reference to the rejected CVE-2021-36217
      lz4: Remove a reference to the rejected CVE-2025-62813
      meta: fix generation of kernel CONFIG_ in SPDX3

 meta/classes-recipe/kernel.bbclass                 | 27 ++++++++++++----------
 meta/lib/oeqa/selftest/cases/spdx.py               |  2 +-
 .../avahi/files/local-ping.patch                   |  1 -
 ...5-62813.patch => fix-null-error-handling.patch} |  1 -
 meta/recipes-support/lz4/lz4_1.9.4.bb              |  2 +-
 5 files changed, 17 insertions(+), 16 deletions(-)
---
base-commit: a9a785d7fa0cfe2a9087dbcde0ef9f0d2a441375
change-id: 20260303-backport-fixes-scarthgap-c8d4140edfa0

Best regards,
-- 
Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>

[PATCH scarthgap 1/3] avahi: Remove a reference to the rejected CVE-2021-36217

[Benjamin Robin (Schneider Electric)]

CVE-2021-36217 is rejected, and should no longer be referenced.
CVE-2021-36217 is a duplicate of CVE-2021-3502 which is already
referenced in the local-ping.patch.

The CVE database indicates the following reason:
  ConsultIDs: CVE-2021-3502. Reason: This candidate is a duplicate of
  CVE-2021-3502. Notes: All CVE users should reference CVE-2021-3502
  instead of this candidate. All references and descriptions in this
  candidate have been removed to prevent accidental usage.

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
(cherry picked from commit bf41240132e2efa6b46aab46290eed9c53e312e9)
---
 meta/recipes-connectivity/avahi/files/local-ping.patch | 1 -
 1 file changed, 1 deletion(-)

diff --git a/meta/recipes-connectivity/avahi/files/local-ping.patch b/meta/recipes-connectivity/avahi/files/local-ping.patch
index 29c192d296e0..8f102815df04 100644
--- a/meta/recipes-connectivity/avahi/files/local-ping.patch
+++ b/meta/recipes-connectivity/avahi/files/local-ping.patch
@@ -1,4 +1,3 @@
-CVE: CVE-2021-36217
 CVE: CVE-2021-3502
 Upstream-Status: Backport
 Signed-off-by: Ross Burton <ross.burton@arm.com>

-- 
2.53.0

[PATCH scarthgap 2/3] lz4: Remove a reference to the rejected CVE-2025-62813

[Benjamin Robin (Schneider Electric)]

The CVE-2025-62813 is rejected so do not reference it anymore.
So keep the patch but without referencing the CVE identifier.

The CVE database indicates the following reason:
  This candidate was withdrawn by its CNA. Further investigation
  showed that it was not a security issue.

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
(cherry picked from commit 9c840a69b62a5fdffb3679a44d68dd5630b2916c)
---
 .../lz4/files/{CVE-2025-62813.patch => fix-null-error-handling.patch}   | 1 -
 meta/recipes-support/lz4/lz4_1.9.4.bb                                   | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/meta/recipes-support/lz4/files/CVE-2025-62813.patch b/meta/recipes-support/lz4/files/fix-null-error-handling.patch
similarity index 99%
rename from meta/recipes-support/lz4/files/CVE-2025-62813.patch
rename to meta/recipes-support/lz4/files/fix-null-error-handling.patch
index bbd0f74541a0..14019360343d 100644
--- a/meta/recipes-support/lz4/files/CVE-2025-62813.patch
+++ b/meta/recipes-support/lz4/files/fix-null-error-handling.patch
@@ -8,7 +8,6 @@ Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 
 Upstream-Status: Backport [Upstream commit https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82]
-CVE: CVE-2025-62813
 
 Signed-off-by: David Nyström <david.nystrom@est.tech>
 ---
diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb
index 8c96f9bab424..fdf0263080dc 100644
--- a/meta/recipes-support/lz4/lz4_1.9.4.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.4.bb
@@ -14,7 +14,7 @@ SRCREV = "5ff839680134437dbf4678f3d0c7b371d84f4964"
 
 SRC_URI = "git://github.com/lz4/lz4.git;branch=release;protocol=https \
            file://run-ptest \
-           file://CVE-2025-62813.patch \
+           file://fix-null-error-handling.patch \
            "
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)"
 

-- 
2.53.0

[PATCH scarthgap 3/3] meta: fix generation of kernel CONFIG_ in SPDX3

[Benjamin Robin (Schneider Electric)]

With the current solution, using a separate task
(do_create_kernel_config_spdx) there is a dependency issue. Sometimes
the final rootfs SBOM does not contain the CONFIG_ values.

do_create_kernel_config_spdx is executed after do_create_spdx which
deploys the SPDX file. do_create_kernel_config_spdx calls
oe.sbom30.find_root_obj_in_jsonld to read from the deploy directory,
which is OK, but the do_create_kernel_config_spdx ends up writing to
this deployed file (updating it).

do_create_rootfs_spdx has an explicit dependency to all do_create_spdx
tasks, but there is nothing that prevents executing
do_create_kernel_config_spdx after do_create_rootfs_spdx.

To fix it, instead, now read from the workdir, and write to the
workdir, and do the processing from the do_create_spdx task:
we append to the do_create_spdx task.
Furthermore, update oeqa selftest to execute do_create_spdx instead
of removed function.

Also only execute this task if create-spdx-3.0 was inherited,
previously this code could be executed if create-spdx-2.2 is
inherited.

Fixes: 1fff29a04287 ("kernel.bbclass: Add task to export kernel configuration to SPDX")
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
(cherry picked from commit 8417f4a186e78a9d309541f5d0e711178bb80488)
---
 meta/classes-recipe/kernel.bbclass   | 27 +++++++++++++++------------
 meta/lib/oeqa/selftest/cases/spdx.py |  2 +-
 2 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/meta/classes-recipe/kernel.bbclass b/meta/classes-recipe/kernel.bbclass
index 39e198864e40..618324f75ff6 100644
--- a/meta/classes-recipe/kernel.bbclass
+++ b/meta/classes-recipe/kernel.bbclass
@@ -870,14 +870,13 @@ addtask deploy after do_populate_sysroot do_packagedata
 
 EXPORT_FUNCTIONS do_deploy
 
-python __anonymous() {
-    inherits = (d.getVar("INHERIT") or "")
-    if "create-spdx" in inherits:
-        bb.build.addtask('do_create_kernel_config_spdx', 'do_populate_lic do_deploy', 'do_create_spdx', d)
-}
+do_create_spdx:append() {
+    def create_kernel_config_spdx(d):
+        if not bb.data.inherits_class("create-spdx-3.0", d):
+            return
+        if d.getVar("SPDX_INCLUDE_KERNEL_CONFIG", True) != "1":
+            return
 
-python do_create_kernel_config_spdx() {
-    if d.getVar("SPDX_INCLUDE_KERNEL_CONFIG", True) == "1":
         import oe.spdx30
         import oe.spdx30_tasks
         from pathlib import Path
@@ -909,9 +908,11 @@ python do_create_kernel_config_spdx() {
         except Exception as e:
             bb.error(f"Failed to parse kernel config file: {e}")
 
-        build, build_objset = oe.sbom30.find_root_obj_in_jsonld(
-            d, "recipes", f"recipe-{pn}", oe.spdx30.build_Build
-        )
+        path = oe.sbom30.jsonld_arch_path(d, pkg_arch, "recipes", f"recipe-{pn}", deploydir=deploydir)
+        build_objset = oe.sbom30.load_jsonld(d, path, required=True)
+        build = build_objset.find_root(oe.spdx30.build_Build)
+        if not build:
+            bb.fatal("No root %s found in %s" % (oe.spdx30.build_Build.__name__, path))
 
         kernel_build = build_objset.add_root(
             oe.spdx30.build_Build(
@@ -930,9 +931,11 @@ python do_create_kernel_config_spdx() {
             [kernel_build]
         )
 
-        oe.sbom30.write_jsonld_doc(d, build_objset, deploydir / pkg_arch / "recipes" / f"recipe-{pn}.spdx.json")
+        oe.sbom30.write_jsonld_doc(d, build_objset, path)
+
+    create_kernel_config_spdx(d)
 }
-do_create_kernel_config_spdx[depends] = "virtual/kernel:do_configure"
+do_create_spdx[depends] += "virtual/kernel:do_configure"
 
 # Add using Device Tree support
 inherit kernel-devicetree
diff --git a/meta/lib/oeqa/selftest/cases/spdx.py b/meta/lib/oeqa/selftest/cases/spdx.py
index 035f3fe33636..3373988ca403 100644
--- a/meta/lib/oeqa/selftest/cases/spdx.py
+++ b/meta/lib/oeqa/selftest/cases/spdx.py
@@ -298,7 +298,7 @@ class SPDX30Check(SPDX3CheckBase, OESelftestTestCase):
         objset = self.check_recipe_spdx(
             kernel_recipe,
             spdx_path,
-            task="do_create_kernel_config_spdx",
+            task="do_create_spdx",
             extraconf="""\
                 INHERIT += "create-spdx"
                 SPDX_INCLUDE_KERNEL_CONFIG = "1"

-- 
2.53.0

Re: [OE-core] [PATCH scarthgap 0/3] meta: Backport rejected CVEs and SPDX3 fixes

[Yoann Congal]

On Tue Mar 3, 2026 at 5:46 PM CET, Benjamin Robin via lists.openembedded.org wrote:
> This series backports three patches from `master` to `Scarthgap`.
>
> Removed references to rejected CVEs:
>  - Removed references to `CVE-2025-62813` and `CVE-2021-3502` in patch
>    files, as these CVEs have been rejected.
>  - This change prevents rejected CVE references from appearing in the
>    generated SBOM.
>
> Fixed kernel `CONFIG_` generation in SPDX3:
>  - Backported a fix for the generation of kernel `CONFIG_` values in
>    SPDX3 output.
>  - This is a important fix, as the generated SBOM file might otherwise
>    randomly omit kernel `CONFIG_` values.
>
> Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
> ---
> Benjamin Robin (Schneider Electric) (3):
>       avahi: Remove a reference to the rejected CVE-2021-36217
>       lz4: Remove a reference to the rejected CVE-2025-62813
>       meta: fix generation of kernel CONFIG_ in SPDX3
>
>  meta/classes-recipe/kernel.bbclass                 | 27 ++++++++++++----------
>  meta/lib/oeqa/selftest/cases/spdx.py               |  2 +-
>  .../avahi/files/local-ping.patch                   |  1 -
>  ...5-62813.patch => fix-null-error-handling.patch} |  1 -
>  meta/recipes-support/lz4/lz4_1.9.4.bb              |  2 +-
>  5 files changed, 17 insertions(+), 16 deletions(-)
> ---
> base-commit: a9a785d7fa0cfe2a9087dbcde0ef9f0d2a441375
> change-id: 20260303-backport-fixes-scarthgap-c8d4140edfa0
>
> Best regards,

Hello,

Can you please send the equivalent series for whinlatter?

Thanks!
-- 
Yoann Congal
Smile ECS

Re: [OE-core] [PATCH scarthgap 0/3] meta: Backport rejected CVEs and SPDX3 fixes

[Benjamin Robin]

On Wednesday, March 4, 2026 at 8:14 PM, Yoann Congal wrote:
> On Tue Mar 3, 2026 at 5:46 PM CET, Benjamin Robin via lists.openembedded.org wrote:
> > This series backports three patches from `master` to `Scarthgap`.
> >
> > Removed references to rejected CVEs:
> >  - Removed references to `CVE-2025-62813` and `CVE-2021-3502` in patch
> >    files, as these CVEs have been rejected.
> >  - This change prevents rejected CVE references from appearing in the
> >    generated SBOM.
> >
> > Fixed kernel `CONFIG_` generation in SPDX3:
> >  - Backported a fix for the generation of kernel `CONFIG_` values in
> >    SPDX3 output.
> >  - This is a important fix, as the generated SBOM file might otherwise
> >    randomly omit kernel `CONFIG_` values.
> 
> Hello,
> 
> Can you please send the equivalent series for whinlatter?

Hello Yoann,

I can send an "equivalent" series for whinlatter but only with the CVE
"fixes".
The generation of kernel `CONFIG_` values in SPDX3 output was not
backported in whinlatter: It is only in master and Scarthgap.

Let me know what I need to do in this case?

Best regards,
-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [OE-core] [PATCH scarthgap 0/3] meta: Backport rejected CVEs and SPDX3 fixes

[Yoann Congal]

On Thu Mar 5, 2026 at 9:29 AM CET, Benjamin Robin wrote:
> On Wednesday, March 4, 2026 at 8:14 PM, Yoann Congal wrote:
>> On Tue Mar 3, 2026 at 5:46 PM CET, Benjamin Robin via lists.openembedded.org wrote:
>> > This series backports three patches from `master` to `Scarthgap`.
>> >
>> > Removed references to rejected CVEs:
>> >  - Removed references to `CVE-2025-62813` and `CVE-2021-3502` in patch
>> >    files, as these CVEs have been rejected.
>> >  - This change prevents rejected CVE references from appearing in the
>> >    generated SBOM.
>> >
>> > Fixed kernel `CONFIG_` generation in SPDX3:
>> >  - Backported a fix for the generation of kernel `CONFIG_` values in
>> >    SPDX3 output.
>> >  - This is a important fix, as the generated SBOM file might otherwise
>> >    randomly omit kernel `CONFIG_` values.
>> 
>> Hello,
>> 
>> Can you please send the equivalent series for whinlatter?
>
> Hello Yoann,
>
> I can send an "equivalent" series for whinlatter but only with the CVE
> "fixes".
> The generation of kernel `CONFIG_` values in SPDX3 output was not
> backported in whinlatter: It is only in master and Scarthgap.

Oh that's why I couldn't trivialy backport the patch (I did not look
why)

> Let me know what I need to do in this case?

I can do the cherry-pick for the 2 rejected CVE patches.

Thanks!
-- 
Yoann Congal
Smile ECS