On 2025-12-22 7:05 p.m., Ken Kurematsu wrote:

Hi Randy,

 

Let me confirm one thing about your comment.

 

If I make the corrections as suggested in the comment, when I retrieve CVE_PRODUCT with bitbake-getvar,

only "theora" is included, not "libtheora".

I expect both libtheora and theora to be valid matches...

(This is the result of an old test environment, but it was the same in 1.2.0)

 

$ bitbake-getvar -r libtheora CVE_PRODUCT

#

# $CVE_PRODUCT [2 operations]

#   set xxx/create-spdx-2.2.bbclass:11

#     [_defaultval] "${BPN}"

#   append xxx/libtheora_1.1.1.bb:23

#     "theora"

# pre-expansion value:

#   " theora"

CVE_PRODUCT=" theora"

but  it doesn't look like that.

 

If libtheora should be included, I think the following correction would be best. What do you think?

Sorry if I misunderstood.

 

CVE_PRODUCT = "${BPN} theora"

probably not.

I replied to your email in response to a discussion in the Yocto patch review meeting.
IIRC, Ross Burton was the one who suggested the +=.


I don't often use the CVE check scripts in oe-core so I'm not sure off-hand, how to confirm
that the BPN is the default.

Ross ?

Ken, please be patient, it the winter holiday season so Ross may not reply for a week or two.

../Randy


 

 

By the way, the NVD records have the following values, so I think theora alone will be fine.

(itheora is a different product)

 

$ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora

:

INSERT INTO PRODUCTS VALUES('CVE-2008-0797', 'itheora','itheora','1.0_rc1','=','','');

INSERT INTO PRODUCTS VALUES('CVE-2024-56431', 'xiph','theora','','','1.2.0','<');

$

 

Best Regards.

--

Ken Kurematsu k.kurematsu@nskint.co.jp

 

From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Ken Kurematsu via lists.openembedded.org
Sent: Tuesday, December 23, 2025 8:43 AM
To: Randy MacLeod <randy.macleod@windriver.com>; openembedded-core@lists.openembedded.org
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

 

Hi Randy,

 

Thank you for your review.

I will reflect your comments and post v2.

 

Best regards.

--

Ken Kurematsu <k.kurematsu@nskint.co.jp>

 

From: Randy MacLeod <randy.macleod@windriver.com>
Sent: Tuesday, December 23, 2025 3:58 AM
To: Ken Kurematsu <k.kurematsu@nskint.co.jp>; openembedded-core@lists.openembedded.org
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

 

Hi Ken,

 

On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org wrote:

In the NVD database, the product name of libtheora is theora.
This was set to ensure that cve-check works correctly.
 
Signed-off-by: Ken Kurematsu <k.kurematsu@nskint.co.jp>
---
 meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++
 1 file changed, 2 insertions(+)
 
diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
index 04de8507fb..bacaf3aee6 100644
--- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
+++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
@@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe
 
 UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)"
 
+CVE_PRODUCT = "theora"
+
 
From YP patch review,

Please use:

CVE_PRODUCT += "theora"
 
to catch both libtheora and theora
 
 
Thanks, 
 
../Randy
 
 
 inherit autotools pkgconfig
 
 EXTRA_OECONF = "--disable-examples --disable-doc"

 

 
 

 

-- 
# Randy MacLeod
# Wind River Linux


-- 
# Randy MacLeod
# Wind River Linux