From: Randy MacLeod <randy.macleod@windriver.com>
To: Ken Kurematsu <k.kurematsu@nskint.co.jp>,
"openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>,
Ross Burton <ross.burton@arm.com>
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp>,
Yoshitaka Ikeda <ikeda@nskint.co.jp>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
Date: Fri, 16 Jan 2026 11:50:19 -0500 [thread overview]
Message-ID: <c51b3d11-0820-4538-aacc-b442c7540ae4@windriver.com> (raw)
In-Reply-To: <TYRP286MB5995A204B7B9AF877CD7B64CDB8DA@TYRP286MB5995.JPNP286.PROD.OUTLOOK.COM>
[-- Attachment #1: Type: text/plain, Size: 8483 bytes --]
Hi Ken,
On 2026-01-15 11:27 p.m., Ken Kurematsu wrote:
>
> Hi Randy, Ross
>
> Ping?
>
> Could you please comment on the post below?
>
FYI:
a8ddda6033 2025-12-19 libtheora: set CVE_PRODUCT
On master, merged 8 days ago:
https://git.openembedded.org/openembedded-core/commit/?id=a8ddda60332e2a3219e905c1545b5da917f855c6
I think we decided that most bugs were tracked by that name.
../Randy
> --
> Ken Kurematsu<k.kurematsu@nskint.co.jp>
>
> *From:*Ken Kurematsu <k.kurematsu@nskint.co.jp>
> *Sent:* Wednesday, December 24, 2025 12:55 PM
> *To:* randy.macleod@windriver.com;
> openembedded-core@lists.openembedded.org; Ross Burton
> <ross.burton@arm.com>
> *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda
> <ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp>
> *Subject:* RE: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
>
> Hi Randy,
>
> *From:*openembedded-core@lists.openembedded.org
> <openembedded-core@lists.openembedded.org> *On Behalf Of *Randy
> MacLeod via lists.openembedded.org
> <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!fmr8c03Dewg4g-sO5zs4RWftsjbML8Q3D7lw0sPbzUH0B9a9RMJFbC6fn6aGOaUO_S-vClYLLXRUdsv3E6qaTTYi2jDOYg$>
> *Sent:* Wednesday, December 24, 2025 10:48 AM
> *To:* Ken Kurematsu <k.kurematsu@nskint.co.jp>;
> openembedded-core@lists.openembedded.org; Ross Burton
> <ross.burton@arm.com>
> *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda
> <ikeda@nskint.co.jp>
> *Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
>
> On 2025-12-22 7:05 p.m., Ken Kurematsu wrote:
>
> Hi Randy,
>
> Let me confirm one thing about your comment.
>
> If I make the corrections as suggested in the comment, when I
> retrieve CVE_PRODUCT with bitbake-getvar,
>
> only "theora" is included, not "libtheora".
>
> I expect both libtheora and theora to be valid matches...
>
> I see.
>
> (This is the result of an old test environment, but it was the
> same in 1.2.0)
>
> $ bitbake-getvar -r libtheora CVE_PRODUCT
>
> #
>
> # $CVE_PRODUCT [2 operations]
>
> # set xxx/create-spdx-2.2.bbclass:11
>
> # [_defaultval] "${BPN}"
>
> # append xxx/libtheora_1.1.1.bb
> <https://urldefense.com/v3/__http:/libtheora_1.1.1.bb__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdM8lL0jRA$>:23
>
> # "theora"
>
> # pre-expansion value:
>
> # " theora"
>
> CVE_PRODUCT=" theora"
>
> but it doesn't look like that.
>
> If libtheora should be included, I think the following correction
> would be best. What do you think?
>
> Sorry if I misunderstood.
>
> CVE_PRODUCT = "${BPN} theora"
>
> probably not.
>
> Ummm…
>
>
> I replied to your email in response to a discussion in the Yocto patch
> review meeting.
> IIRC, Ross Burton was the one who suggested the +=.
>
> It would be a good idea to attend the Yocto patch review meeting and
> talk to you.
> However, I'm not very good at English. Sorry.
>
> I don't often use the CVE check scripts in oe-core so I'm not sure
> off-hand, how to confirm
> that the BPN is the default.
>
> The default value is defined in cve-check.bbclass, which can be found
> at the following URL:
> https://github.com/openembedded/openembedded-core/blob/48e98a6e3fd26c418902b76be8865102bd903189/meta/classes/cve-check.bbclass#L31
> <https://urldefense.com/v3/__https://github.com/openembedded/openembedded-core/blob/48e98a6e3fd26c418902b76be8865102bd903189/meta/classes/cve-check.bbclass*L31__;Iw!!AjveYdw8EvQ!fmr8c03Dewg4g-sO5zs4RWftsjbML8Q3D7lw0sPbzUH0B9a9RMJFbC6fn6aGOaUO_S-vClYLLXRUdsv3E6qaTTYvcb6Quw$>
>
>
> Ross ?
>
> Ken, please be patient, it the winter holiday season so Ross may not
> reply for a week or two.
>
> Ok, I'll wait for Ross's response.
> I will also be on vacation starting next week, so the next time I can
> reply will be after the New Year.
>
> ../Randy
>
> By the way, the NVD records have the following values, so I think
> theora alone will be fine.
>
> (itheora is a different product)
>
> $ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora
>
> :
>
> INSERT INTO PRODUCTS VALUES('CVE-2008-0797',
> 'itheora','itheora','1.0_rc1','=','','');
>
> INSERT INTO PRODUCTS VALUES('CVE-2024-56431',
> 'xiph','theora','','','1.2.0','<');
>
> $
>
> Best Regards.
>
> --
>
> Ken Kurematsu k.kurematsu@nskint.co.jp
> <mailto:k.kurematsu@nskint.co.jp>
>
> *From:*openembedded-core@lists.openembedded.org
> <mailto:openembedded-core@lists.openembedded.org><openembedded-core@lists.openembedded.org>
> <mailto:openembedded-core@lists.openembedded.org>*On Behalf Of
> *Ken Kurematsu via lists.openembedded.org
> <https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$>
> *Sent:* Tuesday, December 23, 2025 8:43 AM
> *To:* Randy MacLeod <randy.macleod@windriver.com>
> <mailto:randy.macleod@windriver.com>;
> openembedded-core@lists.openembedded.org
> <mailto:openembedded-core@lists.openembedded.org>
> *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp>
> <mailto:m.mizutani@nskint.co.jp>; Yoshitaka Ikeda
> <ikeda@nskint.co.jp> <mailto:ikeda@nskint.co.jp>; Ken Kurematsu
> <k.kurematsu@nskint.co.jp> <mailto:k.kurematsu@nskint.co.jp>
> *Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
>
> Hi Randy,
>
> Thank you for your review.
>
> I will reflect your comments and post v2.
>
> Best regards.
>
> --
>
> Ken Kurematsu <k.kurematsu@nskint.co.jp
> <mailto:k.kurematsu@nskint.co.jp>>
>
> *From:*Randy MacLeod <randy.macleod@windriver.com
> <mailto:randy.macleod@windriver.com>>
> *Sent:* Tuesday, December 23, 2025 3:58 AM
> *To:* Ken Kurematsu <k.kurematsu@nskint.co.jp
> <mailto:k.kurematsu@nskint.co.jp>>;
> openembedded-core@lists.openembedded.org
> <mailto:openembedded-core@lists.openembedded.org>
> *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp
> <mailto:m.mizutani@nskint.co.jp>>; Yoshitaka Ikeda
> <ikeda@nskint.co.jp <mailto:ikeda@nskint.co.jp>>
> *Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
>
> Hi Ken,
>
> On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org
> <https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$>
> wrote:
>
> In the NVD database, the product name of libtheora is theora.
>
> This was set to ensure that cve-check works correctly.
>
>
>
> Signed-off-by: Ken Kurematsu<k.kurematsu@nskint.co.jp>
>
> ---
>
> meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++
>
> 1 file changed, 2 insertions(+)
>
>
>
> diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
>
> index 04de8507fb..bacaf3aee6 100644
>
> --- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
>
> +++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
>
> @@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe
>
>
>
> UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)"
>
>
>
> +CVE_PRODUCT = "theora"
>
> +
>
>
>
> From YP patch review,
>
> Please use:
>
> CVE_PRODUCT += "theora"
>
>
>
> to catch both libtheora and theora
>
>
>
>
>
> Thanks,
>
>
>
> ../Randy
>
>
>
>
>
> inherit autotools pkgconfig
>
>
>
> EXTRA_OECONF = "--disable-examples --disable-doc"
>
>
>
>
>
> --
>
> # Randy MacLeod
>
> # Wind River Linux
>
> --
> # Randy MacLeod
> # Wind River Linux
>
> --
> Ken Kurematsu<k.kurematsu@nskint.co.jp>
>
--
# Randy MacLeod
# Wind River Linux
[-- Attachment #2: Type: text/html, Size: 39062 bytes --]
next prev parent reply other threads:[~2026-01-16 16:50 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-19 4:01 [PATCH] libtheora: set CVE_PRODUCT Ken Kurematsu
2025-12-22 18:57 ` [OE-core] " Randy MacLeod
2025-12-22 23:42 ` Ken Kurematsu
[not found] ` <1883AE2C045A1BB3.1614991@lists.openembedded.org>
2025-12-23 0:05 ` Ken Kurematsu
2025-12-24 1:47 ` Randy MacLeod
2025-12-24 3:55 ` Ken Kurematsu
2026-01-16 4:27 ` Ken Kurematsu
2026-01-16 16:50 ` Randy MacLeod [this message]
2026-01-19 8:08 ` Ken Kurematsu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c51b3d11-0820-4538-aacc-b442c7540ae4@windriver.com \
--to=randy.macleod@windriver.com \
--cc=ikeda@nskint.co.jp \
--cc=k.kurematsu@nskint.co.jp \
--cc=m.mizutani@nskint.co.jp \
--cc=openembedded-core@lists.openembedded.org \
--cc=ross.burton@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox