Hi Randy,
Let me confirm one thing about your comment.
If I make the corrections as suggested in the comment, when I retrieve
CVE_PRODUCT with bitbake-getvar,
only "theora" is included, not "libtheora".
(This is the result of an old test environment, but it was the same in 1.2.0)
$ bitbake-getvar -r libtheora CVE_PRODUCT
#
# $CVE_PRODUCT [2 operations]
# set xxx/create-spdx-2.2.bbclass:11
# [_defaultval] "${BPN}"
# append xxx/libtheora_1.1.1.bb:23
# "theora"
# pre-expansion value:
# " theora"
CVE_PRODUCT=" theora"
If libtheora should be included, I think the following correction would be
best. What do you think?
Sorry if I misunderstood.
CVE_PRODUCT = "${BPN} theora"
By the way, the NVD records have the following values, so I think theora alone
will be fine.
(itheora is a different product)
$ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora
:
INSERT INTO PRODUCTS VALUES('CVE-2008-0797',
'itheora','itheora','1.0_rc1','=','','');
INSERT INTO PRODUCTS VALUES('CVE-2024-56431',
'xiph','theora','','','1.2.0','<');
$
Best Regards.
--
Ken Kurematsu [email protected]<mailto:[email protected]>
From: [email protected]
<[email protected]> On Behalf Of Ken Kurematsu via
lists.openembedded.org
Sent: Tuesday, December 23, 2025 8:43 AM
To: Randy MacLeod <[email protected]>;
[email protected]
Cc: Masahiro Mizutani <[email protected]>; Yoshitaka Ikeda
<[email protected]>; Ken Kurematsu <[email protected]>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
Hi Randy,
Thank you for your review.
I will reflect your comments and post v2.
Best regards.
--
Ken Kurematsu <[email protected]<mailto:[email protected]>>
From: Randy MacLeod
<[email protected]<mailto:[email protected]>>
Sent: Tuesday, December 23, 2025 3:58 AM
To: Ken Kurematsu <[email protected]<mailto:[email protected]>>;
[email protected]<mailto:[email protected]>
Cc: Masahiro Mizutani
<[email protected]<mailto:[email protected]>>; Yoshitaka Ikeda
<[email protected]<mailto:[email protected]>>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
Hi Ken,
On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org wrote:
In the NVD database, the product name of libtheora is theora.
This was set to ensure that cve-check works correctly.
Signed-off-by: Ken Kurematsu
<[email protected]><mailto:[email protected]>
---
meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
index 04de8507fb..bacaf3aee6 100644
--- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
+++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
@@ -14,6 +14,8 @@ SRC_URI[sha256sum] =
"ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe
UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)"
+CVE_PRODUCT = "theora"
+
>From YP patch review,
Please use:
CVE_PRODUCT += "theora"
to catch both libtheora and theora
Thanks,
../Randy
inherit autotools pkgconfig
EXTRA_OECONF = "--disable-examples --disable-doc"
--
# Randy MacLeod
# Wind River Linux
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#228443):
https://lists.openembedded.org/g/openembedded-core/message/228443
Mute This Topic: https://lists.openembedded.org/mt/116854732/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
