Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

[Ken Kurematsu via lists.openembedded.org]

Hi Randy, Ross

Ping?

Could you please comment on the post below?


--

Ken Kurematsu <k.kurema...@nskint.co.jp<mailto:k.kurema...@nskint.co.jp>>

From: Ken Kurematsu <k.kurema...@nskint.co.jp>
Sent: Wednesday, December 24, 2025 12:55 PM
To: randy.macl...@windriver.com; openembedded-core@lists.openembedded.org; Ross 
Burton <ross.bur...@arm.com>
Cc: Masahiro Mizutani <m.mizut...@nskint.co.jp>; Yoshitaka Ikeda 
<ik...@nskint.co.jp>; Ken Kurematsu <k.kurema...@nskint.co.jp>
Subject: RE: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

Hi Randy,

From: 
openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>
 
<openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>>
 On Behalf Of Randy MacLeod via lists.openembedded.org
Sent: Wednesday, December 24, 2025 10:48 AM
To: Ken Kurematsu <k.kurema...@nskint.co.jp<mailto:k.kurema...@nskint.co.jp>>; 
openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>;
 Ross Burton <ross.bur...@arm.com<mailto:ross.bur...@arm.com>>
Cc: Masahiro Mizutani 
<m.mizut...@nskint.co.jp<mailto:m.mizut...@nskint.co.jp>>; Yoshitaka Ikeda 
<ik...@nskint.co.jp<mailto:ik...@nskint.co.jp>>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

On 2025-12-22 7:05 p.m., Ken Kurematsu wrote:
Hi Randy,

Let me confirm one thing about your comment.

If I make the corrections as suggested in the comment, when I retrieve 
CVE_PRODUCT with bitbake-getvar,
only "theora" is included, not "libtheora".
I expect both libtheora and theora to be valid matches...
I see.
(This is the result of an old test environment, but it was the same in 1.2.0)

$ bitbake-getvar -r libtheora CVE_PRODUCT
#
# $CVE_PRODUCT [2 operations]
#   set xxx/create-spdx-2.2.bbclass:11
#     [_defaultval] "${BPN}"
#   append 
xxx/libtheora_1.1.1.bb<https://urldefense.com/v3/__http:/libtheora_1.1.1.bb__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdM8lL0jRA$>:23
#     "theora"
# pre-expansion value:
#   " theora"
CVE_PRODUCT=" theora"
but  it doesn't look like that.

If libtheora should be included, I think the following correction would be 
best. What do you think?
Sorry if I misunderstood.

CVE_PRODUCT = "${BPN} theora"
probably not.
Ummm...

I replied to your email in response to a discussion in the Yocto patch review 
meeting.
IIRC, Ross Burton was the one who suggested the +=.

It would be a good idea to attend the Yocto patch review meeting and talk to 
you.
However, I'm not very good at English. Sorry.

I don't often use the CVE check scripts in oe-core so I'm not sure off-hand, 
how to confirm
that the BPN is the default.

The default value is defined in cve-check.bbclass, which can be found at the 
following URL:
https://github.com/openembedded/openembedded-core/blob/48e98a6e3fd26c418902b76be8865102bd903189/meta/classes/cve-check.bbclass#L31

Ross ?

Ken, please be patient, it the winter holiday season so Ross may not reply for 
a week or two.

Ok, I'll wait for Ross's response.
I will also be on vacation starting next week, so the next time I can reply 
will be after the New Year.

../Randy




By the way, the NVD records have the following values, so I think theora alone 
will be fine.
(itheora is a different product)

$ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora
:
INSERT INTO PRODUCTS VALUES('CVE-2008-0797', 
'itheora','itheora','1.0_rc1','=','','');
INSERT INTO PRODUCTS VALUES('CVE-2024-56431', 
'xiph','theora','','','1.2.0','<');
$

Best Regards.
--
Ken Kurematsu k.kurema...@nskint.co.jp<mailto:k.kurema...@nskint.co.jp>

From: 
openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>
 
<openembedded-core@lists.openembedded.org><mailto:openembedded-core@lists.openembedded.org>
 On Behalf Of Ken Kurematsu via 
lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$>
Sent: Tuesday, December 23, 2025 8:43 AM
To: Randy MacLeod 
<randy.macl...@windriver.com><mailto:randy.macl...@windriver.com>; 
openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>
Cc: Masahiro Mizutani 
<m.mizut...@nskint.co.jp><mailto:m.mizut...@nskint.co.jp>; Yoshitaka Ikeda 
<ik...@nskint.co.jp><mailto:ik...@nskint.co.jp>; Ken Kurematsu 
<k.kurema...@nskint.co.jp><mailto:k.kurema...@nskint.co.jp>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

Hi Randy,

Thank you for your review.
I will reflect your comments and post v2.

Best regards.
--
Ken Kurematsu <k.kurema...@nskint.co.jp<mailto:k.kurema...@nskint.co.jp>>

From: Randy MacLeod 
<randy.macl...@windriver.com<mailto:randy.macl...@windriver.com>>
Sent: Tuesday, December 23, 2025 3:58 AM
To: Ken Kurematsu <k.kurema...@nskint.co.jp<mailto:k.kurema...@nskint.co.jp>>; 
openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>
Cc: Masahiro Mizutani 
<m.mizut...@nskint.co.jp<mailto:m.mizut...@nskint.co.jp>>; Yoshitaka Ikeda 
<ik...@nskint.co.jp<mailto:ik...@nskint.co.jp>>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT

Hi Ken,

On 2025-12-18 11:01 p.m., Ken Kurematsu via 
lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$>
 wrote:

In the NVD database, the product name of libtheora is theora.

This was set to ensure that cve-check works correctly.



Signed-off-by: Ken Kurematsu 
<k.kurema...@nskint.co.jp><mailto:k.kurema...@nskint.co.jp>

---

 meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++

 1 file changed, 2 insertions(+)



diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb 
b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

index 04de8507fb..bacaf3aee6 100644

--- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

+++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb

@@ -14,6 +14,8 @@ SRC_URI[sha256sum] = 
"ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe



 UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)"



+CVE_PRODUCT = "theora"

+



>From YP patch review,
Please use:

CVE_PRODUCT += "theora"



to catch both libtheora and theora





Thanks,



../Randy





 inherit autotools pkgconfig



 EXTRA_OECONF = "--disable-examples --disable-doc"








--

# Randy MacLeod

# Wind River Linux



--

# Randy MacLeod

# Wind River Linux



--

Ken Kurematsu <k.kurema...@nskint.co.jp<mailto:k.kurema...@nskint.co.jp>>



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#229520): 
https://lists.openembedded.org/g/openembedded-core/message/229520
Mute This Topic: https://lists.openembedded.org/mt/116854732/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-