From: Benjamin Robin <benjamin.robin@bootlin.com>
To: "Marko, Peter" <Peter.Marko@siemens.com>
Cc: "openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH 1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517
Date: Thu, 30 Apr 2026 09:21:02 +0200 [thread overview]
Message-ID: <zu-eGewcQDqGgk84Tio0gA@bootlin.com> (raw)
In-Reply-To: <AS1PR10MB56972D5D144DE00D1F5838B3FD342@AS1PR10MB5697.EURPRD10.PROD.OUTLOOK.COM>
Hello Peter,
On Wednesday, April 29, 2026 at 7:13 PM, Marko, Peter wrote:
> > > Hello Benjamin,
> > >
> > > I will sent CVE_PRODUCT update to get rid of some older sudo-rs CVE.
> > >
> > > However for these two CVEs, I can still only see "sudo-rs" as product, not "sudo",
> > also via link you have provided from cveawg.org/api.
> >
> > Yes, but this is not a CPE. As explained previously (see the steps detailed
> > above in the previous email), using the vendor/product names extracted from
> > the associated field, we look in the products database for an associated CPE:
> > https://github.com/bootlin/sbom-cve-
> > check/blob/v1.3.0/src/sbom_cve_check/products/products.toml#L1688
>
> Thanks for the explanation.
> Finally, I'm starting to understand how some CVEs get assigned to components where I'd not expect them.
>
> How was that toml file created? Manual work?
> For sudo I think the table is correct (although I don't understand NVD motivation for that).
This is a mix of an automated script and of a manual work...
> However for SDL (CVE-2026-35444) it looks wrong:
> https://github.com/bootlin/sbom-cve-check/blob/v1.3.0/src/sbom_cve_check/products/products.toml#L1608
> Why does it map sdl and sdl_image and simple_directmedia_layer together?
> There are distinctive CPEs for both sdl and sdl_image in NVD DB...
From my understanding this was the same component, but it is clearly
not the case...
- https://nvd.nist.gov/vuln/detail/CVE-2019-7573 use this CPE
"cpe:2.3:a:libsdl:simple_directmedia_layer:*:*:*:*:*:*:*:*"
and refer to both SDL 1 and 2. The referenced code looks like it is:
https://github.com/libsdl-org/SDL/blob/main/src/audio/SDL_wave.c#L376
- https://nvd.nist.gov/vuln/detail/CVE-2008-0544 use this CPE
"cpe:2.3:a:sdl:sdl_image:1.2.6:*:*:*:*:*:*:*"
and refer to SDL_image 1. The referenced code looks like it is:
https://github.com/libsdl-org/SDL_image/blob/SDL-1.2/IMG_lbm.c
> Peter
I expected to make several mistakes. This is a first version, and it is
going to be improved and fixed in the long run (at least this was my plan).
--
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2026-04-30 7:21 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-26 18:50 [PATCH 1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517 Peter Marko
2026-04-26 18:50 ` [PATCH 2/6] cargo: set status of CVE-2023-40030 Peter Marko
2026-04-26 18:50 ` [PATCH 3/6] cargo: set CVE_PRODUCT Peter Marko
2026-04-26 18:50 ` [PATCH 4/6] git: set status of 5 CVEs Peter Marko
2026-04-26 18:50 ` [PATCH 5/6] ovmf: set status for 7 CVEs Peter Marko
2026-04-26 18:50 ` [PATCH 6/6] ffmpeg: set status for 5 CVEs Peter Marko
2026-04-27 7:44 ` Benjamin Robin
2026-04-27 10:07 ` Marko, Peter
2026-04-27 10:10 ` [PATCH v2] ffmpeg: set status for 4 CVEs Peter Marko
2026-04-27 16:40 ` Marko, Peter
2026-04-26 19:17 ` [PATCH 1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517 Marko, Peter
2026-04-27 7:12 ` Benjamin Robin
2026-04-28 16:51 ` Marko, Peter
2026-04-29 7:24 ` Benjamin Robin
2026-04-29 17:13 ` Marko, Peter
2026-04-30 7:21 ` Benjamin Robin [this message]
2026-04-30 7:32 ` Benjamin Robin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=zu-eGewcQDqGgk84Tio0gA@bootlin.com \
--to=benjamin.robin@bootlin.com \
--cc=Peter.Marko@siemens.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox