Re: [PATCH 1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517

[Benjamin Robin <benjamin.robin@bootlin.com>]

Hello Peter,

On Tuesday, April 28, 2026 at 6:51 PM, Marko, Peter wrote:
> 
> > > Benjamin, any idea about this topic?
> > 
> > Yes, sadly the CPE of sudo-rs is trifectatech:sudo.
> > Why this is the official CPE of sudo-rs, I don't know...
> > 
> > What it is happening:
> >  - From https://cveawg.mitre.org/api/cve/CVE-2025-64170
> >    we extract vendor and product name, then we look the products database
> >    which is built in sbom-cve-check.
> >  - The returned CPE are "memorysafety:sudo", "trifectatech:sudo"
> >  - Then we check if the CPE in the SBOM matches with these CPE.
> >    Currently sudo is declared as: *:sudo, which matches trifectatech:sudo.
> 
> Hello Benjamin,
> 
> I will sent CVE_PRODUCT update to get rid of some older sudo-rs CVE.
> 
> However for these two CVEs, I can still only see "sudo-rs" as product, not "sudo", also via link you have provided from cveawg.org/api.

Yes, but this is not a CPE. As explained previously (see the steps detailed
above in the previous email), using the vendor/product names extracted from
the associated field, we look in the products database for an associated CPE:
https://github.com/bootlin/sbom-cve-check/blob/v1.3.0/src/sbom_cve_check/products/products.toml#L1688

The associated CPE is "trifectatech:sudo" (which is used by the NVD database).
Why the NVD database provided this CPE, I don't know... But this is the
"official" CPE for sudo-rs as I am aware.

> Peter
> 
> > 
> > The easy fix is to declare the proper CPE of sudo using CVE_PRODUCT,
> > which should be set to "sudo_project:sudo".
> > 
> > This behavior is documented here:
> > https://sbom-cve-check.readthedocs.io/en/latest/design.html#find-applicable-cve


-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com