--
Ken Kurematsu<[email protected]>
*From:*Ken Kurematsu <[email protected]>
*Sent:* Wednesday, December 24, 2025 12:55 PM
*To:* [email protected];
[email protected]; Ross Burton
<[email protected]>
*Cc:* Masahiro Mizutani <[email protected]>; Yoshitaka Ikeda
<[email protected]>; Ken Kurematsu <[email protected]>
*Subject:* RE: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
Hi Randy,
*From:*[email protected]
<[email protected]> *On Behalf Of *Randy
MacLeod via lists.openembedded.org
<https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!fmr8c03Dewg4g-sO5zs4RWftsjbML8Q3D7lw0sPbzUH0B9a9RMJFbC6fn6aGOaUO_S-vClYLLXRUdsv3E6qaTTYi2jDOYg$>
*Sent:* Wednesday, December 24, 2025 10:48 AM
*To:* Ken Kurematsu <[email protected]>;
[email protected]; Ross Burton
<[email protected]>
*Cc:* Masahiro Mizutani <[email protected]>; Yoshitaka Ikeda
<[email protected]>
*Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
On 2025-12-22 7:05 p.m., Ken Kurematsu wrote:
Hi Randy,
Let me confirm one thing about your comment.
If I make the corrections as suggested in the comment, when I
retrieve CVE_PRODUCT with bitbake-getvar,
only "theora" is included, not "libtheora".
I expect both libtheora and theora to be valid matches...
I see.
(This is the result of an old test environment, but it was the
same in 1.2.0)
$ bitbake-getvar -r libtheora CVE_PRODUCT
#
# $CVE_PRODUCT [2 operations]
# set xxx/create-spdx-2.2.bbclass:11
# [_defaultval] "${BPN}"
# append xxx/libtheora_1.1.1.bb
<https://urldefense.com/v3/__http:/libtheora_1.1.1.bb__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdM8lL0jRA$>:23
# "theora"
# pre-expansion value:
# " theora"
CVE_PRODUCT=" theora"
but it doesn't look like that.
If libtheora should be included, I think the following correction
would be best. What do you think?
Sorry if I misunderstood.
CVE_PRODUCT = "${BPN} theora"
probably not.
Ummm…
I replied to your email in response to a discussion in the Yocto patch
review meeting.
IIRC, Ross Burton was the one who suggested the +=.
It would be a good idea to attend the Yocto patch review meeting and
talk to you.
However, I'm not very good at English. Sorry.
I don't often use the CVE check scripts in oe-core so I'm not sure
off-hand, how to confirm
that the BPN is the default.
The default value is defined in cve-check.bbclass, which can be found
at the following URL:
https://github.com/openembedded/openembedded-core/blob/48e98a6e3fd26c418902b76be8865102bd903189/meta/classes/cve-check.bbclass#L31
<https://urldefense.com/v3/__https://github.com/openembedded/openembedded-core/blob/48e98a6e3fd26c418902b76be8865102bd903189/meta/classes/cve-check.bbclass*L31__;Iw!!AjveYdw8EvQ!fmr8c03Dewg4g-sO5zs4RWftsjbML8Q3D7lw0sPbzUH0B9a9RMJFbC6fn6aGOaUO_S-vClYLLXRUdsv3E6qaTTYvcb6Quw$>
Ross ?
Ken, please be patient, it the winter holiday season so Ross may not
reply for a week or two.
Ok, I'll wait for Ross's response.
I will also be on vacation starting next week, so the next time I can
reply will be after the New Year.
../Randy
By the way, the NVD records have the following values, so I think
theora alone will be fine.
(itheora is a different product)
$ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora
:
INSERT INTO PRODUCTS VALUES('CVE-2008-0797',
'itheora','itheora','1.0_rc1','=','','');
INSERT INTO PRODUCTS VALUES('CVE-2024-56431',
'xiph','theora','','','1.2.0','<');
$
Best Regards.
--
Ken Kurematsu [email protected]
<mailto:[email protected]>
*From:*[email protected]
<mailto:[email protected]><[email protected]>
<mailto:[email protected]>*On Behalf Of
*Ken Kurematsu via lists.openembedded.org
<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$>
*Sent:* Tuesday, December 23, 2025 8:43 AM
*To:* Randy MacLeod <[email protected]>
<mailto:[email protected]>;
[email protected]
<mailto:[email protected]>
*Cc:* Masahiro Mizutani <[email protected]>
<mailto:[email protected]>; Yoshitaka Ikeda
<[email protected]> <mailto:[email protected]>; Ken Kurematsu
<[email protected]> <mailto:[email protected]>
*Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
Hi Randy,
Thank you for your review.
I will reflect your comments and post v2.
Best regards.
--
Ken Kurematsu <[email protected]
<mailto:[email protected]>>
*From:*Randy MacLeod <[email protected]
<mailto:[email protected]>>
*Sent:* Tuesday, December 23, 2025 3:58 AM
*To:* Ken Kurematsu <[email protected]
<mailto:[email protected]>>;
[email protected]
<mailto:[email protected]>
*Cc:* Masahiro Mizutani <[email protected]
<mailto:[email protected]>>; Yoshitaka Ikeda
<[email protected] <mailto:[email protected]>>
*Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
Hi Ken,
On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org
<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$>
wrote:
In the NVD database, the product name of libtheora is theora.
This was set to ensure that cve-check works correctly.
Signed-off-by: Ken Kurematsu<[email protected]>
---
meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
index 04de8507fb..bacaf3aee6 100644
--- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
+++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
@@ -14,6 +14,8 @@ SRC_URI[sha256sum] =
"ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe
UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)"
+CVE_PRODUCT = "theora"
+
From YP patch review,
Please use:
CVE_PRODUCT += "theora"
to catch both libtheora and theora
Thanks,
../Randy
inherit autotools pkgconfig
EXTRA_OECONF = "--disable-examples --disable-doc"
--
# Randy MacLeod
# Wind River Linux
--
# Randy MacLeod
# Wind River Linux
--
Ken Kurematsu<[email protected]>
