[PATCH] libtheora: set CVE_PRODUCT

[PATCH] libtheora: set CVE_PRODUCT

[Ken Kurematsu]

In the NVD database, the product name of libtheora is theora.
This was set to ensure that cve-check works correctly.

Signed-off-by: Ken Kurematsu <k.kurematsu@nskint.co.jp>
---
 meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
index 04de8507fb..bacaf3aee6 100644
--- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
+++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
@@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe

 UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)"

+CVE_PRODUCT = "theora"
+
 inherit autotools pkgconfig

 EXTRA_OECONF = "--disable-examples --disable-doc"
-- 
2.34.1

Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

[Randy MacLeod]

[-- Attachment #1: Type: text/plain, Size: 1549 bytes --]

Hi Ken,

On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org wrote:
> In the NVD database, the product name of libtheora is theora.
> This was set to ensure that cve-check works correctly.
>
> Signed-off-by: Ken Kurematsu<k.kurematsu@nskint.co.jp>
> ---
>   meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++
>   1 file changed, 2 insertions(+)
>
> diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
> index 04de8507fb..bacaf3aee6 100644
> --- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
> +++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
> @@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe
>
>   UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)"
>
> +CVE_PRODUCT = "theora"
> +

 From YP patch review,

Please use:

CVE_PRODUCT += "theora"

to catch both libtheora and theora


Thanks,

../Randy

>   inherit autotools pkgconfig
>
>   EXTRA_OECONF = "--disable-examples --disable-doc"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#228198):https://lists.openembedded.org/g/openembedded-core/message/228198
> Mute This Topic:https://lists.openembedded.org/mt/116854732/3616765
> Group Owner:openembedded-core+owner@lists.openembedded.org
> Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

-- 
# Randy MacLeod
# Wind River Linux

[-- Attachment #2: Type: text/html, Size: 3046 bytes --]

RE: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

[Ken Kurematsu]

[-- Attachment #1: Type: text/plain, Size: 2239 bytes --]

Hi Randy,

Thank you for your review.
I will reflect your comments and post v2.

Best regards.
--
Ken Kurematsu <k.kurematsu@nskint.co.jp>

From: Randy MacLeod <randy.macleod@windriver.com>
Sent: Tuesday, December 23, 2025 3:58 AM
To: Ken Kurematsu <k.kurematsu@nskint.co.jp>; openembedded-core@lists.openembedded.org
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

Hi Ken,

On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org wrote:

In the NVD database, the product name of libtheora is theora.

This was set to ensure that cve-check works correctly.



Signed-off-by: Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp>

---

 meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++

 1 file changed, 2 insertions(+)



diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

index 04de8507fb..bacaf3aee6 100644

--- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

+++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

@@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe



 UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)"



+CVE_PRODUCT = "theora"

+



From YP patch review,
Please use:


CVE_PRODUCT += "theora"



to catch both libtheora and theora





Thanks,



../Randy





 inherit autotools pkgconfig



 EXTRA_OECONF = "--disable-examples --disable-doc"



-=-=-=-=-=-=-=-=-=-=-=-

Links: You receive all messages sent to this group.

View/Reply Online (#228198): https://lists.openembedded.org/g/openembedded-core/message/228198

Mute This Topic: https://lists.openembedded.org/mt/116854732/3616765

Group Owner: openembedded-core+owner@lists.openembedded.org<mailto:openembedded-core+owner@lists.openembedded.org>

Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com<mailto:randy.macleod@windriver.com>]

-=-=-=-=-=-=-=-=-=-=-=-





--

# Randy MacLeod

# Wind River Linux

[-- Attachment #2: Type: text/html, Size: 9058 bytes --]

RE: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

[Ken Kurematsu]

[-- Attachment #1: Type: text/plain, Size: 3571 bytes --]

Hi Randy,

Let me confirm one thing about your comment.

If I make the corrections as suggested in the comment, when I retrieve CVE_PRODUCT with bitbake-getvar,
only "theora" is included, not "libtheora".
(This is the result of an old test environment, but it was the same in 1.2.0)

$ bitbake-getvar -r libtheora CVE_PRODUCT
#
# $CVE_PRODUCT [2 operations]
#   set xxx/create-spdx-2.2.bbclass:11
#     [_defaultval] "${BPN}"
#   append xxx/libtheora_1.1.1.bb:23
#     "theora"
# pre-expansion value:
#   " theora"
CVE_PRODUCT=" theora"

If libtheora should be included, I think the following correction would be best. What do you think?
Sorry if I misunderstood.

CVE_PRODUCT = "${BPN} theora"


By the way, the NVD records have the following values, so I think theora alone will be fine.
(itheora is a different product)

$ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora
:
INSERT INTO PRODUCTS VALUES('CVE-2008-0797', 'itheora','itheora','1.0_rc1','=','','');
INSERT INTO PRODUCTS VALUES('CVE-2024-56431', 'xiph','theora','','','1.2.0','<');
$

Best Regards.
--
Ken Kurematsu k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>

From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Ken Kurematsu via lists.openembedded.org
Sent: Tuesday, December 23, 2025 8:43 AM
To: Randy MacLeod <randy.macleod@windriver.com>; openembedded-core@lists.openembedded.org
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

Hi Randy,

Thank you for your review.
I will reflect your comments and post v2.

Best regards.
--
Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>

From: Randy MacLeod <randy.macleod@windriver.com<mailto:randy.macleod@windriver.com>>
Sent: Tuesday, December 23, 2025 3:58 AM
To: Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp<mailto:m.mizutani@nskint.co.jp>>; Yoshitaka Ikeda <ikeda@nskint.co.jp<mailto:ikeda@nskint.co.jp>>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

Hi Ken,

On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org wrote:

In the NVD database, the product name of libtheora is theora.

This was set to ensure that cve-check works correctly.



Signed-off-by: Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp>

---

 meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++

 1 file changed, 2 insertions(+)



diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

index 04de8507fb..bacaf3aee6 100644

--- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

+++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

@@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe



 UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)"



+CVE_PRODUCT = "theora"

+



From YP patch review,
Please use:

CVE_PRODUCT += "theora"



to catch both libtheora and theora





Thanks,



../Randy





 inherit autotools pkgconfig



 EXTRA_OECONF = "--disable-examples --disable-doc"








--

# Randy MacLeod

# Wind River Linux

[-- Attachment #2: Type: text/html, Size: 15247 bytes --]

Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

[Randy MacLeod]

[-- Attachment #1: Type: text/plain, Size: 4867 bytes --]

On 2025-12-22 7:05 p.m., Ken Kurematsu wrote:
>
> Hi Randy,
>
> Let me confirm one thing about your comment.
>
> If I make the corrections as suggested in the comment, when I retrieve 
> CVE_PRODUCT with bitbake-getvar,
>
> only "theora" is included, not "libtheora".
>
I expect both libtheora and theora to be valid matches...
>
> (This is the result of an old test environment, but it was the same in 
> 1.2.0)
>
> $ bitbake-getvar -r libtheora CVE_PRODUCT
>
> #
>
> # $CVE_PRODUCT [2 operations]
>
> # set xxx/create-spdx-2.2.bbclass:11
>
> # [_defaultval] "${BPN}"
>
> # append xxx/libtheora_1.1.1.bb 
> <https://urldefense.com/v3/__http://libtheora_1.1.1.bb__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdM8lL0jRA$>:23
>
> # "theora"
>
> # pre-expansion value:
>
> # " theora"
>
> CVE_PRODUCT=" theora"
>
but  it doesn't look like that.
>
> If libtheora should be included, I think the following correction 
> would be best. What do you think?
>
> Sorry if I misunderstood.
>
> CVE_PRODUCT = "${BPN} theora"
>
probably not.

I replied to your email in response to a discussion in the Yocto patch 
review meeting.
IIRC, Ross Burton was the one who suggested the +=.


I don't often use the CVE check scripts in oe-core so I'm not sure 
off-hand, how to confirm
that the BPN is the default.

Ross ?

Ken, please be patient, it the winter holiday season so Ross may not 
reply for a week or two.

../Randy


> By the way, the NVD records have the following values, so I think 
> theora alone will be fine.
>
> (itheora is a different product)
>
> $ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora
>
> :
>
> INSERT INTO PRODUCTS VALUES('CVE-2008-0797', 
> 'itheora','itheora','1.0_rc1','=','','');
>
> INSERT INTO PRODUCTS VALUES('CVE-2024-56431', 
> 'xiph','theora','','','1.2.0','<');
>
> $
>
> Best Regards.
>
> --
>
> Ken Kurematsu k.kurematsu@nskint.co.jp
>
> *From:*openembedded-core@lists.openembedded.org 
> <openembedded-core@lists.openembedded.org> *On Behalf Of *Ken 
> Kurematsu via lists.openembedded.org 
> <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$>
> *Sent:* Tuesday, December 23, 2025 8:43 AM
> *To:* Randy MacLeod <randy.macleod@windriver.com>; 
> openembedded-core@lists.openembedded.org
> *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda 
> <ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp>
> *Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
>
> Hi Randy,
>
> Thank you for your review.
>
> I will reflect your comments and post v2.
>
> Best regards.
>
> --
>
> Ken Kurematsu <k.kurematsu@nskint.co.jp>
>
> *From:*Randy MacLeod <randy.macleod@windriver.com>
> *Sent:* Tuesday, December 23, 2025 3:58 AM
> *To:* Ken Kurematsu <k.kurematsu@nskint.co.jp>; 
> openembedded-core@lists.openembedded.org
> *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda 
> <ikeda@nskint.co.jp>
> *Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
>
> Hi Ken,
>
> On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org 
> <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$> 
> wrote:
>
>     In the NVD database, the product name of libtheora is theora.
>
>     This was set to ensure that cve-check works correctly.
>
>       
>
>     Signed-off-by: Ken Kurematsu<k.kurematsu@nskint.co.jp>
>
>     ---
>
>       meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++
>
>       1 file changed, 2 insertions(+)
>
>       
>
>     diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
>
>     index 04de8507fb..bacaf3aee6 100644
>
>     --- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
>
>     +++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
>
>     @@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe
>
>       
>
>       UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)"
>
>       
>
>     +CVE_PRODUCT = "theora"
>
>     +
>
>   
>  From YP patch review,
>
> Please use:
>
> CVE_PRODUCT += "theora"
>   
> to catch both libtheora and theora
>   
>   
> Thanks,
>   
> ../Randy
>   
>
>       
>
>       inherit autotools pkgconfig
>
>       
>
>       EXTRA_OECONF = "--disable-examples --disable-doc"
>
>       
>
>       
>
> -- 
> # Randy MacLeod
> # Wind River Linux


-- 
# Randy MacLeod
# Wind River Linux

[-- Attachment #2: Type: text/html, Size: 18879 bytes --]

RE: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

[Ken Kurematsu]

[-- Attachment #1: Type: text/plain, Size: 5997 bytes --]

Hi Randy,

From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Randy MacLeod via lists.openembedded.org
Sent: Wednesday, December 24, 2025 10:48 AM
To: Ken Kurematsu <k.kurematsu@nskint.co.jp>; openembedded-core@lists.openembedded.org; Ross Burton <ross.burton@arm.com>
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

On 2025-12-22 7:05 p.m., Ken Kurematsu wrote:
Hi Randy,

Let me confirm one thing about your comment.

If I make the corrections as suggested in the comment, when I retrieve CVE_PRODUCT with bitbake-getvar,
only "theora" is included, not "libtheora".
I expect both libtheora and theora to be valid matches...
I see.
(This is the result of an old test environment, but it was the same in 1.2.0)

$ bitbake-getvar -r libtheora CVE_PRODUCT
#
# $CVE_PRODUCT [2 operations]
#   set xxx/create-spdx-2.2.bbclass:11
#     [_defaultval] "${BPN}"
#   append xxx/libtheora_1.1.1.bb<https://urldefense.com/v3/__http:/libtheora_1.1.1.bb__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdM8lL0jRA$>:23
#     "theora"
# pre-expansion value:
#   " theora"
CVE_PRODUCT=" theora"
but  it doesn't look like that.


If libtheora should be included, I think the following correction would be best. What do you think?
Sorry if I misunderstood.

CVE_PRODUCT = "${BPN} theora"
probably not.
Ummm...

I replied to your email in response to a discussion in the Yocto patch review meeting.
IIRC, Ross Burton was the one who suggested the +=.

It would be a good idea to attend the Yocto patch review meeting and talk to you.
However, I'm not very good at English. Sorry.

I don't often use the CVE check scripts in oe-core so I'm not sure off-hand, how to confirm
that the BPN is the default.

The default value is defined in cve-check.bbclass, which can be found at the following URL:
https://github.com/openembedded/openembedded-core/blob/48e98a6e3fd26c418902b76be8865102bd903189/meta/classes/cve-check.bbclass#L31

Ross ?

Ken, please be patient, it the winter holiday season so Ross may not reply for a week or two.

Ok, I'll wait for Ross's response.
I will also be on vacation starting next week, so the next time I can reply will be after the New Year.

../Randy




By the way, the NVD records have the following values, so I think theora alone will be fine.
(itheora is a different product)

$ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora
:
INSERT INTO PRODUCTS VALUES('CVE-2008-0797', 'itheora','itheora','1.0_rc1','=','','');
INSERT INTO PRODUCTS VALUES('CVE-2024-56431', 'xiph','theora','','','1.2.0','<');
$

Best Regards.
--
Ken Kurematsu k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>

From: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org><mailto:openembedded-core@lists.openembedded.org> On Behalf Of Ken Kurematsu via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$>
Sent: Tuesday, December 23, 2025 8:43 AM
To: Randy MacLeod <randy.macleod@windriver.com><mailto:randy.macleod@windriver.com>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp><mailto:m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp><mailto:ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

Hi Randy,

Thank you for your review.
I will reflect your comments and post v2.

Best regards.
--
Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>

From: Randy MacLeod <randy.macleod@windriver.com<mailto:randy.macleod@windriver.com>>
Sent: Tuesday, December 23, 2025 3:58 AM
To: Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp<mailto:m.mizutani@nskint.co.jp>>; Yoshitaka Ikeda <ikeda@nskint.co.jp<mailto:ikeda@nskint.co.jp>>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

Hi Ken,

On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$> wrote:

In the NVD database, the product name of libtheora is theora.

This was set to ensure that cve-check works correctly.



Signed-off-by: Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp>

---

 meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++

 1 file changed, 2 insertions(+)



diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

index 04de8507fb..bacaf3aee6 100644

--- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

+++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

@@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe



 UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)"



+CVE_PRODUCT = "theora"

+



From YP patch review,
Please use:

CVE_PRODUCT += "theora"



to catch both libtheora and theora





Thanks,



../Randy





 inherit autotools pkgconfig



 EXTRA_OECONF = "--disable-examples --disable-doc"








--

# Randy MacLeod

# Wind River Linux



--

# Randy MacLeod

# Wind River Linux



--

Ken Kurematsu <k.kurematsu@nskint.co.jp>

[-- Attachment #2: Type: text/html, Size: 31517 bytes --]

RE: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

[Ken Kurematsu]

[-- Attachment #1: Type: text/plain, Size: 6851 bytes --]

Hi Randy, Ross

Ping?

Could you please comment on the post below?


--

Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>

From: Ken Kurematsu <k.kurematsu@nskint.co.jp>
Sent: Wednesday, December 24, 2025 12:55 PM
To: randy.macleod@windriver.com; openembedded-core@lists.openembedded.org; Ross Burton <ross.burton@arm.com>
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp>
Subject: RE: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

Hi Randy,

From: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>> On Behalf Of Randy MacLeod via lists.openembedded.org
Sent: Wednesday, December 24, 2025 10:48 AM
To: Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>; Ross Burton <ross.burton@arm.com<mailto:ross.burton@arm.com>>
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp<mailto:m.mizutani@nskint.co.jp>>; Yoshitaka Ikeda <ikeda@nskint.co.jp<mailto:ikeda@nskint.co.jp>>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

On 2025-12-22 7:05 p.m., Ken Kurematsu wrote:
Hi Randy,

Let me confirm one thing about your comment.

If I make the corrections as suggested in the comment, when I retrieve CVE_PRODUCT with bitbake-getvar,
only "theora" is included, not "libtheora".
I expect both libtheora and theora to be valid matches...
I see.
(This is the result of an old test environment, but it was the same in 1.2.0)

$ bitbake-getvar -r libtheora CVE_PRODUCT
#
# $CVE_PRODUCT [2 operations]
#   set xxx/create-spdx-2.2.bbclass:11
#     [_defaultval] "${BPN}"
#   append xxx/libtheora_1.1.1.bb<https://urldefense.com/v3/__http:/libtheora_1.1.1.bb__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdM8lL0jRA$>:23
#     "theora"
# pre-expansion value:
#   " theora"
CVE_PRODUCT=" theora"
but  it doesn't look like that.

If libtheora should be included, I think the following correction would be best. What do you think?
Sorry if I misunderstood.

CVE_PRODUCT = "${BPN} theora"
probably not.
Ummm...

I replied to your email in response to a discussion in the Yocto patch review meeting.
IIRC, Ross Burton was the one who suggested the +=.

It would be a good idea to attend the Yocto patch review meeting and talk to you.
However, I'm not very good at English. Sorry.

I don't often use the CVE check scripts in oe-core so I'm not sure off-hand, how to confirm
that the BPN is the default.

The default value is defined in cve-check.bbclass, which can be found at the following URL:
https://github.com/openembedded/openembedded-core/blob/48e98a6e3fd26c418902b76be8865102bd903189/meta/classes/cve-check.bbclass#L31

Ross ?

Ken, please be patient, it the winter holiday season so Ross may not reply for a week or two.

Ok, I'll wait for Ross's response.
I will also be on vacation starting next week, so the next time I can reply will be after the New Year.

../Randy




By the way, the NVD records have the following values, so I think theora alone will be fine.
(itheora is a different product)

$ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora
:
INSERT INTO PRODUCTS VALUES('CVE-2008-0797', 'itheora','itheora','1.0_rc1','=','','');
INSERT INTO PRODUCTS VALUES('CVE-2024-56431', 'xiph','theora','','','1.2.0','<');
$

Best Regards.
--
Ken Kurematsu k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>

From: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org><mailto:openembedded-core@lists.openembedded.org> On Behalf Of Ken Kurematsu via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$>
Sent: Tuesday, December 23, 2025 8:43 AM
To: Randy MacLeod <randy.macleod@windriver.com><mailto:randy.macleod@windriver.com>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp><mailto:m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp><mailto:ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

Hi Randy,

Thank you for your review.
I will reflect your comments and post v2.

Best regards.
--
Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>

From: Randy MacLeod <randy.macleod@windriver.com<mailto:randy.macleod@windriver.com>>
Sent: Tuesday, December 23, 2025 3:58 AM
To: Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp<mailto:m.mizutani@nskint.co.jp>>; Yoshitaka Ikeda <ikeda@nskint.co.jp<mailto:ikeda@nskint.co.jp>>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

Hi Ken,

On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$> wrote:

In the NVD database, the product name of libtheora is theora.

This was set to ensure that cve-check works correctly.



Signed-off-by: Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp>

---

 meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++

 1 file changed, 2 insertions(+)



diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

index 04de8507fb..bacaf3aee6 100644

--- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

+++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

@@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe



 UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)"



+CVE_PRODUCT = "theora"

+



From YP patch review,
Please use:

CVE_PRODUCT += "theora"



to catch both libtheora and theora





Thanks,



../Randy





 inherit autotools pkgconfig



 EXTRA_OECONF = "--disable-examples --disable-doc"








--

# Randy MacLeod

# Wind River Linux



--

# Randy MacLeod

# Wind River Linux



--

Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>



[-- Attachment #2: Type: text/html, Size: 34473 bytes --]

Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

[Randy MacLeod]

[-- Attachment #1: Type: text/plain, Size: 8483 bytes --]


Hi Ken,

On 2026-01-15 11:27 p.m., Ken Kurematsu wrote:
>
> Hi Randy, Ross
>
> Ping?
>
> Could you please comment on the post below?
>
FYI:
a8ddda6033   2025-12-19   libtheora: set CVE_PRODUCT

On master, merged 8 days ago:

https://git.openembedded.org/openembedded-core/commit/?id=a8ddda60332e2a3219e905c1545b5da917f855c6

I think we decided that most bugs were tracked by that name.

../Randy

> --
> Ken Kurematsu<k.kurematsu@nskint.co.jp>
>
> *From:*Ken Kurematsu <k.kurematsu@nskint.co.jp>
> *Sent:* Wednesday, December 24, 2025 12:55 PM
> *To:* randy.macleod@windriver.com; 
> openembedded-core@lists.openembedded.org; Ross Burton 
> <ross.burton@arm.com>
> *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda 
> <ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp>
> *Subject:* RE: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
>
> Hi Randy,
>
> *From:*openembedded-core@lists.openembedded.org 
> <openembedded-core@lists.openembedded.org> *On Behalf Of *Randy 
> MacLeod via lists.openembedded.org 
> <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!fmr8c03Dewg4g-sO5zs4RWftsjbML8Q3D7lw0sPbzUH0B9a9RMJFbC6fn6aGOaUO_S-vClYLLXRUdsv3E6qaTTYi2jDOYg$>
> *Sent:* Wednesday, December 24, 2025 10:48 AM
> *To:* Ken Kurematsu <k.kurematsu@nskint.co.jp>; 
> openembedded-core@lists.openembedded.org; Ross Burton 
> <ross.burton@arm.com>
> *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda 
> <ikeda@nskint.co.jp>
> *Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
>
> On 2025-12-22 7:05 p.m., Ken Kurematsu wrote:
>
>     Hi Randy,
>
>     Let me confirm one thing about your comment.
>
>     If I make the corrections as suggested in the comment, when I
>     retrieve CVE_PRODUCT with bitbake-getvar,
>
>     only "theora" is included, not "libtheora".
>
> I expect both libtheora and theora to be valid matches...
>
> I see.
>
>     (This is the result of an old test environment, but it was the
>     same in 1.2.0)
>
>     $ bitbake-getvar -r libtheora CVE_PRODUCT
>
>     #
>
>     # $CVE_PRODUCT [2 operations]
>
>     #   set xxx/create-spdx-2.2.bbclass:11
>
>     # [_defaultval] "${BPN}"
>
>     #   append xxx/libtheora_1.1.1.bb
>     <https://urldefense.com/v3/__http:/libtheora_1.1.1.bb__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdM8lL0jRA$>:23
>
>     # "theora"
>
>     # pre-expansion value:
>
>     #   " theora"
>
>     CVE_PRODUCT=" theora"
>
> but  it doesn't look like that.
>
>     If libtheora should be included, I think the following correction
>     would be best. What do you think?
>
>     Sorry if I misunderstood.
>
>     CVE_PRODUCT = "${BPN} theora"
>
> probably not.
>
> Ummm…
>
>
> I replied to your email in response to a discussion in the Yocto patch 
> review meeting.
> IIRC, Ross Burton was the one who suggested the +=.
>
> It would be a good idea to attend the Yocto patch review meeting and 
> talk to you.
> However, I'm not very good at English. Sorry.
>
> I don't often use the CVE check scripts in oe-core so I'm not sure 
> off-hand, how to confirm
> that the BPN is the default.
>
> The default value is defined in cve-check.bbclass, which can be found 
> at the following URL:
> https://github.com/openembedded/openembedded-core/blob/48e98a6e3fd26c418902b76be8865102bd903189/meta/classes/cve-check.bbclass#L31 
> <https://urldefense.com/v3/__https://github.com/openembedded/openembedded-core/blob/48e98a6e3fd26c418902b76be8865102bd903189/meta/classes/cve-check.bbclass*L31__;Iw!!AjveYdw8EvQ!fmr8c03Dewg4g-sO5zs4RWftsjbML8Q3D7lw0sPbzUH0B9a9RMJFbC6fn6aGOaUO_S-vClYLLXRUdsv3E6qaTTYvcb6Quw$>
>
>
> Ross ?
>
> Ken, please be patient, it the winter holiday season so Ross may not 
> reply for a week or two.
>
> Ok, I'll wait for Ross's response.
> I will also be on vacation starting next week, so the next time I can 
> reply will be after the New Year.
>
> ../Randy
>
>     By the way, the NVD records have the following values, so I think
>     theora alone will be fine.
>
>     (itheora is a different product)
>
>     $ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora
>
>     :
>
>     INSERT INTO PRODUCTS VALUES('CVE-2008-0797',
>     'itheora','itheora','1.0_rc1','=','','');
>
>     INSERT INTO PRODUCTS VALUES('CVE-2024-56431',
>     'xiph','theora','','','1.2.0','<');
>
>     $
>
>     Best Regards.
>
>     --
>
>     Ken Kurematsu k.kurematsu@nskint.co.jp
>     <mailto:k.kurematsu@nskint.co.jp>
>
>     *From:*openembedded-core@lists.openembedded.org
>     <mailto:openembedded-core@lists.openembedded.org><openembedded-core@lists.openembedded.org>
>     <mailto:openembedded-core@lists.openembedded.org>*On Behalf Of
>     *Ken Kurematsu via lists.openembedded.org
>     <https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$>
>     *Sent:* Tuesday, December 23, 2025 8:43 AM
>     *To:* Randy MacLeod <randy.macleod@windriver.com>
>     <mailto:randy.macleod@windriver.com>;
>     openembedded-core@lists.openembedded.org
>     <mailto:openembedded-core@lists.openembedded.org>
>     *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp>
>     <mailto:m.mizutani@nskint.co.jp>; Yoshitaka Ikeda
>     <ikeda@nskint.co.jp> <mailto:ikeda@nskint.co.jp>; Ken Kurematsu
>     <k.kurematsu@nskint.co.jp> <mailto:k.kurematsu@nskint.co.jp>
>     *Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
>
>     Hi Randy,
>
>     Thank you for your review.
>
>     I will reflect your comments and post v2.
>
>     Best regards.
>
>     --
>
>     Ken Kurematsu <k.kurematsu@nskint.co.jp
>     <mailto:k.kurematsu@nskint.co.jp>>
>
>     *From:*Randy MacLeod <randy.macleod@windriver.com
>     <mailto:randy.macleod@windriver.com>>
>     *Sent:* Tuesday, December 23, 2025 3:58 AM
>     *To:* Ken Kurematsu <k.kurematsu@nskint.co.jp
>     <mailto:k.kurematsu@nskint.co.jp>>;
>     openembedded-core@lists.openembedded.org
>     <mailto:openembedded-core@lists.openembedded.org>
>     *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp
>     <mailto:m.mizutani@nskint.co.jp>>; Yoshitaka Ikeda
>     <ikeda@nskint.co.jp <mailto:ikeda@nskint.co.jp>>
>     *Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
>
>     Hi Ken,
>
>     On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org
>     <https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$>
>     wrote:
>
>         In the NVD database, the product name of libtheora is theora.
>
>         This was set to ensure that cve-check works correctly.
>
>           
>
>         Signed-off-by: Ken Kurematsu<k.kurematsu@nskint.co.jp>
>
>         ---
>
>           meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++
>
>           1 file changed, 2 insertions(+)
>
>           
>
>         diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
>
>         index 04de8507fb..bacaf3aee6 100644
>
>         --- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
>
>         +++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
>
>         @@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe
>
>           
>
>           UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)"
>
>           
>
>         +CVE_PRODUCT = "theora"
>
>         +
>
>       
>
>      From YP patch review,
>
>     Please use:
>
>     CVE_PRODUCT += "theora"
>
>       
>
>     to catch both libtheora and theora
>
>       
>
>       
>
>     Thanks,
>
>       
>
>     ../Randy
>
>       
>
>           
>
>           inherit autotools pkgconfig
>
>           
>
>           EXTRA_OECONF = "--disable-examples --disable-doc"
>
>           
>
>           
>
>     -- 
>
>     # Randy MacLeod
>
>     # Wind River Linux
>
> -- 
> # Randy MacLeod
> # Wind River Linux
>   
> --
> Ken Kurematsu<k.kurematsu@nskint.co.jp>
>   


-- 
# Randy MacLeod
# Wind River Linux

[-- Attachment #2: Type: text/html, Size: 39062 bytes --]

RE: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

[Ken Kurematsu]

[-- Attachment #1: Type: text/plain, Size: 8530 bytes --]

Hi Randy

Thank you for your reply.

Sorry, I overlooked that. It was indeed merged.


Best Regards.
--
Ken Kurematsu <k.kurematsu@nskint.co.jp>

From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Randy MacLeod via lists.openembedded.org
Sent: Saturday, January 17, 2026 1:50 AM
To: Ken Kurematsu <k.kurematsu@nskint.co.jp>; openembedded-core@lists.openembedded.org; Ross Burton <ross.burton@arm.com>
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT


Hi Ken,

On 2026-01-15 11:27 p.m., Ken Kurematsu wrote:
Hi Randy, Ross

Ping?

Could you please comment on the post below?
FYI:
a8ddda6033   2025-12-19   libtheora: set CVE_PRODUCT

On master, merged 8 days ago:

https://git.openembedded.org/openembedded-core/commit/?id=a8ddda60332e2a3219e905c1545b5da917f855c6

I think we decided that most bugs were tracked by that name.

../Randy


--

Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp>

From: Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp>
Sent: Wednesday, December 24, 2025 12:55 PM
To: randy.macleod@windriver.com<mailto:randy.macleod@windriver.com>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>; Ross Burton <ross.burton@arm.com><mailto:ross.burton@arm.com>
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp><mailto:m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp><mailto:ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp>
Subject: RE: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

Hi Randy,

From: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>> On Behalf Of Randy MacLeod via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!fmr8c03Dewg4g-sO5zs4RWftsjbML8Q3D7lw0sPbzUH0B9a9RMJFbC6fn6aGOaUO_S-vClYLLXRUdsv3E6qaTTYi2jDOYg$>
Sent: Wednesday, December 24, 2025 10:48 AM
To: Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>; Ross Burton <ross.burton@arm.com<mailto:ross.burton@arm.com>>
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp<mailto:m.mizutani@nskint.co.jp>>; Yoshitaka Ikeda <ikeda@nskint.co.jp<mailto:ikeda@nskint.co.jp>>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

On 2025-12-22 7:05 p.m., Ken Kurematsu wrote:
Hi Randy,

Let me confirm one thing about your comment.

If I make the corrections as suggested in the comment, when I retrieve CVE_PRODUCT with bitbake-getvar,
only "theora" is included, not "libtheora".
I expect both libtheora and theora to be valid matches...
I see.
(This is the result of an old test environment, but it was the same in 1.2.0)

$ bitbake-getvar -r libtheora CVE_PRODUCT
#
# $CVE_PRODUCT [2 operations]
#   set xxx/create-spdx-2.2.bbclass:11
#     [_defaultval] "${BPN}"
#   append xxx/libtheora_1.1.1.bb<https://urldefense.com/v3/__http:/libtheora_1.1.1.bb__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdM8lL0jRA$>:23
#     "theora"
# pre-expansion value:
#   " theora"
CVE_PRODUCT=" theora"
but  it doesn't look like that.

If libtheora should be included, I think the following correction would be best. What do you think?
Sorry if I misunderstood.

CVE_PRODUCT = "${BPN} theora"
probably not.
Ummm…

I replied to your email in response to a discussion in the Yocto patch review meeting.
IIRC, Ross Burton was the one who suggested the +=.

It would be a good idea to attend the Yocto patch review meeting and talk to you.
However, I'm not very good at English. Sorry.

I don't often use the CVE check scripts in oe-core so I'm not sure off-hand, how to confirm
that the BPN is the default.

The default value is defined in cve-check.bbclass, which can be found at the following URL:
https://github.com/openembedded/openembedded-core/blob/48e98a6e3fd26c418902b76be8865102bd903189/meta/classes/cve-check.bbclass#L31<https://urldefense.com/v3/__https:/github.com/openembedded/openembedded-core/blob/48e98a6e3fd26c418902b76be8865102bd903189/meta/classes/cve-check.bbclass*L31__;Iw!!AjveYdw8EvQ!fmr8c03Dewg4g-sO5zs4RWftsjbML8Q3D7lw0sPbzUH0B9a9RMJFbC6fn6aGOaUO_S-vClYLLXRUdsv3E6qaTTYvcb6Quw$>

Ross ?

Ken, please be patient, it the winter holiday season so Ross may not reply for a week or two.

Ok, I'll wait for Ross's response.
I will also be on vacation starting next week, so the next time I can reply will be after the New Year.

../Randy




By the way, the NVD records have the following values, so I think theora alone will be fine.
(itheora is a different product)

$ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora
:
INSERT INTO PRODUCTS VALUES('CVE-2008-0797', 'itheora','itheora','1.0_rc1','=','','');
INSERT INTO PRODUCTS VALUES('CVE-2024-56431', 'xiph','theora','','','1.2.0','<');
$

Best Regards.
--
Ken Kurematsu k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>

From: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org><mailto:openembedded-core@lists.openembedded.org> On Behalf Of Ken Kurematsu via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$>
Sent: Tuesday, December 23, 2025 8:43 AM
To: Randy MacLeod <randy.macleod@windriver.com><mailto:randy.macleod@windriver.com>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp><mailto:m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp><mailto:ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

Hi Randy,

Thank you for your review.
I will reflect your comments and post v2.

Best regards.
--
Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>

From: Randy MacLeod <randy.macleod@windriver.com<mailto:randy.macleod@windriver.com>>
Sent: Tuesday, December 23, 2025 3:58 AM
To: Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp<mailto:m.mizutani@nskint.co.jp>>; Yoshitaka Ikeda <ikeda@nskint.co.jp<mailto:ikeda@nskint.co.jp>>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

Hi Ken,

On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$> wrote:

In the NVD database, the product name of libtheora is theora.

This was set to ensure that cve-check works correctly.



Signed-off-by: Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp>

---

 meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++

 1 file changed, 2 insertions(+)



diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

index 04de8507fb..bacaf3aee6 100644

--- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

+++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

@@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe



 UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)"



+CVE_PRODUCT = "theora"

+



From YP patch review,
Please use:

CVE_PRODUCT += "theora"



to catch both libtheora and theora





Thanks,



../Randy





 inherit autotools pkgconfig



 EXTRA_OECONF = "--disable-examples --disable-doc"








--

# Randy MacLeod

# Wind River Linux



--

# Randy MacLeod

# Wind River Linux



--

Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp>





--

# Randy MacLeod

# Wind River Linux

[-- Attachment #2: Type: text/html, Size: 38339 bytes --]