Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

[Randy MacLeod <randy.macleod@windriver.com>]

[-- Attachment #1: Type: text/plain, Size: 4867 bytes --]

On 2025-12-22 7:05 p.m., Ken Kurematsu wrote:
>
> Hi Randy,
>
> Let me confirm one thing about your comment.
>
> If I make the corrections as suggested in the comment, when I retrieve 
> CVE_PRODUCT with bitbake-getvar,
>
> only "theora" is included, not "libtheora".
>
I expect both libtheora and theora to be valid matches...
>
> (This is the result of an old test environment, but it was the same in 
> 1.2.0)
>
> $ bitbake-getvar -r libtheora CVE_PRODUCT
>
> #
>
> # $CVE_PRODUCT [2 operations]
>
> # set xxx/create-spdx-2.2.bbclass:11
>
> # [_defaultval] "${BPN}"
>
> # append xxx/libtheora_1.1.1.bb 
> <https://urldefense.com/v3/__http://libtheora_1.1.1.bb__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdM8lL0jRA$>:23
>
> # "theora"
>
> # pre-expansion value:
>
> # " theora"
>
> CVE_PRODUCT=" theora"
>
but  it doesn't look like that.
>
> If libtheora should be included, I think the following correction 
> would be best. What do you think?
>
> Sorry if I misunderstood.
>
> CVE_PRODUCT = "${BPN} theora"
>
probably not.

I replied to your email in response to a discussion in the Yocto patch 
review meeting.
IIRC, Ross Burton was the one who suggested the +=.


I don't often use the CVE check scripts in oe-core so I'm not sure 
off-hand, how to confirm
that the BPN is the default.

Ross ?

Ken, please be patient, it the winter holiday season so Ross may not 
reply for a week or two.

../Randy


> By the way, the NVD records have the following values, so I think 
> theora alone will be fine.
>
> (itheora is a different product)
>
> $ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora
>
> :
>
> INSERT INTO PRODUCTS VALUES('CVE-2008-0797', 
> 'itheora','itheora','1.0_rc1','=','','');
>
> INSERT INTO PRODUCTS VALUES('CVE-2024-56431', 
> 'xiph','theora','','','1.2.0','<');
>
> $
>
> Best Regards.
>
> --
>
> Ken Kurematsu k.kurematsu@nskint.co.jp
>
> *From:*openembedded-core@lists.openembedded.org 
> <openembedded-core@lists.openembedded.org> *On Behalf Of *Ken 
> Kurematsu via lists.openembedded.org 
> <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$>
> *Sent:* Tuesday, December 23, 2025 8:43 AM
> *To:* Randy MacLeod <randy.macleod@windriver.com>; 
> openembedded-core@lists.openembedded.org
> *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda 
> <ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp>
> *Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
>
> Hi Randy,
>
> Thank you for your review.
>
> I will reflect your comments and post v2.
>
> Best regards.
>
> --
>
> Ken Kurematsu <k.kurematsu@nskint.co.jp>
>
> *From:*Randy MacLeod <randy.macleod@windriver.com>
> *Sent:* Tuesday, December 23, 2025 3:58 AM
> *To:* Ken Kurematsu <k.kurematsu@nskint.co.jp>; 
> openembedded-core@lists.openembedded.org
> *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda 
> <ikeda@nskint.co.jp>
> *Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
>
> Hi Ken,
>
> On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org 
> <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$> 
> wrote:
>
>     In the NVD database, the product name of libtheora is theora.
>
>     This was set to ensure that cve-check works correctly.
>
>       
>
>     Signed-off-by: Ken Kurematsu<k.kurematsu@nskint.co.jp>
>
>     ---
>
>       meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++
>
>       1 file changed, 2 insertions(+)
>
>       
>
>     diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
>
>     index 04de8507fb..bacaf3aee6 100644
>
>     --- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
>
>     +++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
>
>     @@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe
>
>       
>
>       UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)"
>
>       
>
>     +CVE_PRODUCT = "theora"
>
>     +
>
>   
>  From YP patch review,
>
> Please use:
>
> CVE_PRODUCT += "theora"
>   
> to catch both libtheora and theora
>   
>   
> Thanks,
>   
> ../Randy
>   
>
>       
>
>       inherit autotools pkgconfig
>
>       
>
>       EXTRA_OECONF = "--disable-examples --disable-doc"
>
>       
>
>       
>
> -- 
> # Randy MacLeod
> # Wind River Linux


-- 
# Randy MacLeod
# Wind River Linux

[-- Attachment #2: Type: text/html, Size: 18879 bytes --]