| Message ID | TYRP286MB5995F2B556CCD6EDFD533D3CDBA9A@TYRP286MB5995.JPNP286.PROD.OUTLOOK.COM |
|---|---|
| State | Under Review |
| Headers | show |
| Series | libtheora: set CVE_PRODUCT | expand |
Hi Ken, On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org wrote: > In the NVD database, the product name of libtheora is theora. > This was set to ensure that cve-check works correctly. > > Signed-off-by: Ken Kurematsu<k.kurematsu@nskint.co.jp> > --- > meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb > index 04de8507fb..bacaf3aee6 100644 > --- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb > +++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb > @@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe > > UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)" > > +CVE_PRODUCT = "theora" > + From YP patch review, Please use: CVE_PRODUCT += "theora" to catch both libtheora and theora Thanks, ../Randy > inherit autotools pkgconfig > > EXTRA_OECONF = "--disable-examples --disable-doc" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#228198):https://lists.openembedded.org/g/openembedded-core/message/228198 > Mute This Topic:https://lists.openembedded.org/mt/116854732/3616765 > Group Owner:openembedded-core+owner@lists.openembedded.org > Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi Randy, Thank you for your review. I will reflect your comments and post v2. Best regards. -- Ken Kurematsu <k.kurematsu@nskint.co.jp> From: Randy MacLeod <randy.macleod@windriver.com> Sent: Tuesday, December 23, 2025 3:58 AM To: Ken Kurematsu <k.kurematsu@nskint.co.jp>; openembedded-core@lists.openembedded.org Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp> Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT Hi Ken, On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org wrote: In the NVD database, the product name of libtheora is theora. This was set to ensure that cve-check works correctly. Signed-off-by: Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp> --- meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb index 04de8507fb..bacaf3aee6 100644 --- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb +++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb @@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)" +CVE_PRODUCT = "theora" + From YP patch review, Please use: CVE_PRODUCT += "theora" to catch both libtheora and theora Thanks, ../Randy inherit autotools pkgconfig EXTRA_OECONF = "--disable-examples --disable-doc" -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#228198): https://lists.openembedded.org/g/openembedded-core/message/228198 Mute This Topic: https://lists.openembedded.org/mt/116854732/3616765 Group Owner: openembedded-core+owner@lists.openembedded.org<mailto:openembedded-core+owner@lists.openembedded.org> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com<mailto:randy.macleod@windriver.com>] -=-=-=-=-=-=-=-=-=-=-=- -- # Randy MacLeod # Wind River Linux
Hi Randy,
Let me confirm one thing about your comment.
If I make the corrections as suggested in the comment, when I retrieve CVE_PRODUCT with bitbake-getvar,
only "theora" is included, not "libtheora".
(This is the result of an old test environment, but it was the same in 1.2.0)
$ bitbake-getvar -r libtheora CVE_PRODUCT
#
# $CVE_PRODUCT [2 operations]
# set xxx/create-spdx-2.2.bbclass:11
# [_defaultval] "${BPN}"
# append xxx/libtheora_1.1.1.bb:23
# "theora"
# pre-expansion value:
# " theora"
CVE_PRODUCT=" theora"
If libtheora should be included, I think the following correction would be best. What do you think?
Sorry if I misunderstood.
CVE_PRODUCT = "${BPN} theora"
By the way, the NVD records have the following values, so I think theora alone will be fine.
(itheora is a different product)
$ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora
:
INSERT INTO PRODUCTS VALUES('CVE-2008-0797', 'itheora','itheora','1.0_rc1','=','','');
INSERT INTO PRODUCTS VALUES('CVE-2024-56431', 'xiph','theora','','','1.2.0','<');
$
Best Regards.
--
Ken Kurematsu k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Ken Kurematsu via lists.openembedded.org
Sent: Tuesday, December 23, 2025 8:43 AM
To: Randy MacLeod <randy.macleod@windriver.com>; openembedded-core@lists.openembedded.org
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
Hi Randy,
Thank you for your review.
I will reflect your comments and post v2.
Best regards.
--
Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>
From: Randy MacLeod <randy.macleod@windriver.com<mailto:randy.macleod@windriver.com>>
Sent: Tuesday, December 23, 2025 3:58 AM
To: Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>
Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp<mailto:m.mizutani@nskint.co.jp>>; Yoshitaka Ikeda <ikeda@nskint.co.jp<mailto:ikeda@nskint.co.jp>>
Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT
Hi Ken,
On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org wrote:
In the NVD database, the product name of libtheora is theora.
This was set to ensure that cve-check works correctly.
Signed-off-by: Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp>
---
meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
index 04de8507fb..bacaf3aee6 100644
--- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
+++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb
@@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe
UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)"
+CVE_PRODUCT = "theora"
+
From YP patch review,
Please use:
CVE_PRODUCT += "theora"
to catch both libtheora and theora
Thanks,
../Randy
inherit autotools pkgconfig
EXTRA_OECONF = "--disable-examples --disable-doc"
--
# Randy MacLeod
# Wind River Linux
On 2025-12-22 7:05 p.m., Ken Kurematsu wrote: > > Hi Randy, > > Let me confirm one thing about your comment. > > If I make the corrections as suggested in the comment, when I retrieve > CVE_PRODUCT with bitbake-getvar, > > only "theora" is included, not "libtheora". > I expect both libtheora and theora to be valid matches... > > (This is the result of an old test environment, but it was the same in > 1.2.0) > > $ bitbake-getvar -r libtheora CVE_PRODUCT > > # > > # $CVE_PRODUCT [2 operations] > > # set xxx/create-spdx-2.2.bbclass:11 > > # [_defaultval] "${BPN}" > > # append xxx/libtheora_1.1.1.bb > <https://urldefense.com/v3/__http://libtheora_1.1.1.bb__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdM8lL0jRA$>:23 > > # "theora" > > # pre-expansion value: > > # " theora" > > CVE_PRODUCT=" theora" > but it doesn't look like that. > > If libtheora should be included, I think the following correction > would be best. What do you think? > > Sorry if I misunderstood. > > CVE_PRODUCT = "${BPN} theora" > probably not. I replied to your email in response to a discussion in the Yocto patch review meeting. IIRC, Ross Burton was the one who suggested the +=. I don't often use the CVE check scripts in oe-core so I'm not sure off-hand, how to confirm that the BPN is the default. Ross ? Ken, please be patient, it the winter holiday season so Ross may not reply for a week or two. ../Randy > By the way, the NVD records have the following values, so I think > theora alone will be fine. > > (itheora is a different product) > > $ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora > > : > > INSERT INTO PRODUCTS VALUES('CVE-2008-0797', > 'itheora','itheora','1.0_rc1','=','',''); > > INSERT INTO PRODUCTS VALUES('CVE-2024-56431', > 'xiph','theora','','','1.2.0','<'); > > $ > > Best Regards. > > -- > > Ken Kurematsu k.kurematsu@nskint.co.jp > > *From:*openembedded-core@lists.openembedded.org > <openembedded-core@lists.openembedded.org> *On Behalf Of *Ken > Kurematsu via lists.openembedded.org > <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$> > *Sent:* Tuesday, December 23, 2025 8:43 AM > *To:* Randy MacLeod <randy.macleod@windriver.com>; > openembedded-core@lists.openembedded.org > *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda > <ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp> > *Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT > > Hi Randy, > > Thank you for your review. > > I will reflect your comments and post v2. > > Best regards. > > -- > > Ken Kurematsu <k.kurematsu@nskint.co.jp> > > *From:*Randy MacLeod <randy.macleod@windriver.com> > *Sent:* Tuesday, December 23, 2025 3:58 AM > *To:* Ken Kurematsu <k.kurematsu@nskint.co.jp>; > openembedded-core@lists.openembedded.org > *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda > <ikeda@nskint.co.jp> > *Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT > > Hi Ken, > > On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org > <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$> > wrote: > > In the NVD database, the product name of libtheora is theora. > > This was set to ensure that cve-check works correctly. > > > > Signed-off-by: Ken Kurematsu<k.kurematsu@nskint.co.jp> > > --- > > meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb > > index 04de8507fb..bacaf3aee6 100644 > > --- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb > > +++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb > > @@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe > > > > UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)" > > > > +CVE_PRODUCT = "theora" > > + > > > From YP patch review, > > Please use: > > CVE_PRODUCT += "theora" > > to catch both libtheora and theora > > > Thanks, > > ../Randy > > > > > inherit autotools pkgconfig > > > > EXTRA_OECONF = "--disable-examples --disable-doc" > > > > > > -- > # Randy MacLeod > # Wind River Linux
Hi Randy, From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Randy MacLeod via lists.openembedded.org Sent: Wednesday, December 24, 2025 10:48 AM To: Ken Kurematsu <k.kurematsu@nskint.co.jp>; openembedded-core@lists.openembedded.org; Ross Burton <ross.burton@arm.com> Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp> Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT On 2025-12-22 7:05 p.m., Ken Kurematsu wrote: Hi Randy, Let me confirm one thing about your comment. If I make the corrections as suggested in the comment, when I retrieve CVE_PRODUCT with bitbake-getvar, only "theora" is included, not "libtheora". I expect both libtheora and theora to be valid matches... I see. (This is the result of an old test environment, but it was the same in 1.2.0) $ bitbake-getvar -r libtheora CVE_PRODUCT # # $CVE_PRODUCT [2 operations] # set xxx/create-spdx-2.2.bbclass:11 # [_defaultval] "${BPN}" # append xxx/libtheora_1.1.1.bb<https://urldefense.com/v3/__http:/libtheora_1.1.1.bb__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdM8lL0jRA$>:23 # "theora" # pre-expansion value: # " theora" CVE_PRODUCT=" theora" but it doesn't look like that. If libtheora should be included, I think the following correction would be best. What do you think? Sorry if I misunderstood. CVE_PRODUCT = "${BPN} theora" probably not. Ummm... I replied to your email in response to a discussion in the Yocto patch review meeting. IIRC, Ross Burton was the one who suggested the +=. It would be a good idea to attend the Yocto patch review meeting and talk to you. However, I'm not very good at English. Sorry. I don't often use the CVE check scripts in oe-core so I'm not sure off-hand, how to confirm that the BPN is the default. The default value is defined in cve-check.bbclass, which can be found at the following URL: https://github.com/openembedded/openembedded-core/blob/48e98a6e3fd26c418902b76be8865102bd903189/meta/classes/cve-check.bbclass#L31 Ross ? Ken, please be patient, it the winter holiday season so Ross may not reply for a week or two. Ok, I'll wait for Ross's response. I will also be on vacation starting next week, so the next time I can reply will be after the New Year. ../Randy By the way, the NVD records have the following values, so I think theora alone will be fine. (itheora is a different product) $ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora : INSERT INTO PRODUCTS VALUES('CVE-2008-0797', 'itheora','itheora','1.0_rc1','=','',''); INSERT INTO PRODUCTS VALUES('CVE-2024-56431', 'xiph','theora','','','1.2.0','<'); $ Best Regards. -- Ken Kurematsu k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp> From: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org><mailto:openembedded-core@lists.openembedded.org> On Behalf Of Ken Kurematsu via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$> Sent: Tuesday, December 23, 2025 8:43 AM To: Randy MacLeod <randy.macleod@windriver.com><mailto:randy.macleod@windriver.com>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp><mailto:m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp><mailto:ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp> Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT Hi Randy, Thank you for your review. I will reflect your comments and post v2. Best regards. -- Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>> From: Randy MacLeod <randy.macleod@windriver.com<mailto:randy.macleod@windriver.com>> Sent: Tuesday, December 23, 2025 3:58 AM To: Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp<mailto:m.mizutani@nskint.co.jp>>; Yoshitaka Ikeda <ikeda@nskint.co.jp<mailto:ikeda@nskint.co.jp>> Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT Hi Ken, On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$> wrote: In the NVD database, the product name of libtheora is theora. This was set to ensure that cve-check works correctly. Signed-off-by: Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp> --- meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb index 04de8507fb..bacaf3aee6 100644 --- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb +++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb @@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)" +CVE_PRODUCT = "theora" + From YP patch review, Please use: CVE_PRODUCT += "theora" to catch both libtheora and theora Thanks, ../Randy inherit autotools pkgconfig EXTRA_OECONF = "--disable-examples --disable-doc" -- # Randy MacLeod # Wind River Linux -- # Randy MacLeod # Wind River Linux -- Ken Kurematsu <k.kurematsu@nskint.co.jp>
Hi Randy, Ross Ping? Could you please comment on the post below? -- Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>> From: Ken Kurematsu <k.kurematsu@nskint.co.jp> Sent: Wednesday, December 24, 2025 12:55 PM To: randy.macleod@windriver.com; openembedded-core@lists.openembedded.org; Ross Burton <ross.burton@arm.com> Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp> Subject: RE: [OE-core] [PATCH] libtheora: set CVE_PRODUCT Hi Randy, From: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>> On Behalf Of Randy MacLeod via lists.openembedded.org Sent: Wednesday, December 24, 2025 10:48 AM To: Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>; Ross Burton <ross.burton@arm.com<mailto:ross.burton@arm.com>> Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp<mailto:m.mizutani@nskint.co.jp>>; Yoshitaka Ikeda <ikeda@nskint.co.jp<mailto:ikeda@nskint.co.jp>> Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT On 2025-12-22 7:05 p.m., Ken Kurematsu wrote: Hi Randy, Let me confirm one thing about your comment. If I make the corrections as suggested in the comment, when I retrieve CVE_PRODUCT with bitbake-getvar, only "theora" is included, not "libtheora". I expect both libtheora and theora to be valid matches... I see. (This is the result of an old test environment, but it was the same in 1.2.0) $ bitbake-getvar -r libtheora CVE_PRODUCT # # $CVE_PRODUCT [2 operations] # set xxx/create-spdx-2.2.bbclass:11 # [_defaultval] "${BPN}" # append xxx/libtheora_1.1.1.bb<https://urldefense.com/v3/__http:/libtheora_1.1.1.bb__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdM8lL0jRA$>:23 # "theora" # pre-expansion value: # " theora" CVE_PRODUCT=" theora" but it doesn't look like that. If libtheora should be included, I think the following correction would be best. What do you think? Sorry if I misunderstood. CVE_PRODUCT = "${BPN} theora" probably not. Ummm... I replied to your email in response to a discussion in the Yocto patch review meeting. IIRC, Ross Burton was the one who suggested the +=. It would be a good idea to attend the Yocto patch review meeting and talk to you. However, I'm not very good at English. Sorry. I don't often use the CVE check scripts in oe-core so I'm not sure off-hand, how to confirm that the BPN is the default. The default value is defined in cve-check.bbclass, which can be found at the following URL: https://github.com/openembedded/openembedded-core/blob/48e98a6e3fd26c418902b76be8865102bd903189/meta/classes/cve-check.bbclass#L31 Ross ? Ken, please be patient, it the winter holiday season so Ross may not reply for a week or two. Ok, I'll wait for Ross's response. I will also be on vacation starting next week, so the next time I can reply will be after the New Year. ../Randy By the way, the NVD records have the following values, so I think theora alone will be fine. (itheora is a different product) $ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora : INSERT INTO PRODUCTS VALUES('CVE-2008-0797', 'itheora','itheora','1.0_rc1','=','',''); INSERT INTO PRODUCTS VALUES('CVE-2024-56431', 'xiph','theora','','','1.2.0','<'); $ Best Regards. -- Ken Kurematsu k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp> From: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org><mailto:openembedded-core@lists.openembedded.org> On Behalf Of Ken Kurematsu via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$> Sent: Tuesday, December 23, 2025 8:43 AM To: Randy MacLeod <randy.macleod@windriver.com><mailto:randy.macleod@windriver.com>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp><mailto:m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp><mailto:ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp> Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT Hi Randy, Thank you for your review. I will reflect your comments and post v2. Best regards. -- Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>> From: Randy MacLeod <randy.macleod@windriver.com<mailto:randy.macleod@windriver.com>> Sent: Tuesday, December 23, 2025 3:58 AM To: Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp<mailto:m.mizutani@nskint.co.jp>>; Yoshitaka Ikeda <ikeda@nskint.co.jp<mailto:ikeda@nskint.co.jp>> Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT Hi Ken, On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$> wrote: In the NVD database, the product name of libtheora is theora. This was set to ensure that cve-check works correctly. Signed-off-by: Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp> --- meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb index 04de8507fb..bacaf3aee6 100644 --- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb +++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb @@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)" +CVE_PRODUCT = "theora" + From YP patch review, Please use: CVE_PRODUCT += "theora" to catch both libtheora and theora Thanks, ../Randy inherit autotools pkgconfig EXTRA_OECONF = "--disable-examples --disable-doc" -- # Randy MacLeod # Wind River Linux -- # Randy MacLeod # Wind River Linux -- Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>
Hi Ken, On 2026-01-15 11:27 p.m., Ken Kurematsu wrote: > > Hi Randy, Ross > > Ping? > > Could you please comment on the post below? > FYI: a8ddda6033 2025-12-19 libtheora: set CVE_PRODUCT On master, merged 8 days ago: https://git.openembedded.org/openembedded-core/commit/?id=a8ddda60332e2a3219e905c1545b5da917f855c6 I think we decided that most bugs were tracked by that name. ../Randy > -- > Ken Kurematsu<k.kurematsu@nskint.co.jp> > > *From:*Ken Kurematsu <k.kurematsu@nskint.co.jp> > *Sent:* Wednesday, December 24, 2025 12:55 PM > *To:* randy.macleod@windriver.com; > openembedded-core@lists.openembedded.org; Ross Burton > <ross.burton@arm.com> > *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda > <ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp> > *Subject:* RE: [OE-core] [PATCH] libtheora: set CVE_PRODUCT > > Hi Randy, > > *From:*openembedded-core@lists.openembedded.org > <openembedded-core@lists.openembedded.org> *On Behalf Of *Randy > MacLeod via lists.openembedded.org > <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!fmr8c03Dewg4g-sO5zs4RWftsjbML8Q3D7lw0sPbzUH0B9a9RMJFbC6fn6aGOaUO_S-vClYLLXRUdsv3E6qaTTYi2jDOYg$> > *Sent:* Wednesday, December 24, 2025 10:48 AM > *To:* Ken Kurematsu <k.kurematsu@nskint.co.jp>; > openembedded-core@lists.openembedded.org; Ross Burton > <ross.burton@arm.com> > *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda > <ikeda@nskint.co.jp> > *Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT > > On 2025-12-22 7:05 p.m., Ken Kurematsu wrote: > > Hi Randy, > > Let me confirm one thing about your comment. > > If I make the corrections as suggested in the comment, when I > retrieve CVE_PRODUCT with bitbake-getvar, > > only "theora" is included, not "libtheora". > > I expect both libtheora and theora to be valid matches... > > I see. > > (This is the result of an old test environment, but it was the > same in 1.2.0) > > $ bitbake-getvar -r libtheora CVE_PRODUCT > > # > > # $CVE_PRODUCT [2 operations] > > # set xxx/create-spdx-2.2.bbclass:11 > > # [_defaultval] "${BPN}" > > # append xxx/libtheora_1.1.1.bb > <https://urldefense.com/v3/__http:/libtheora_1.1.1.bb__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdM8lL0jRA$>:23 > > # "theora" > > # pre-expansion value: > > # " theora" > > CVE_PRODUCT=" theora" > > but it doesn't look like that. > > If libtheora should be included, I think the following correction > would be best. What do you think? > > Sorry if I misunderstood. > > CVE_PRODUCT = "${BPN} theora" > > probably not. > > Ummm… > > > I replied to your email in response to a discussion in the Yocto patch > review meeting. > IIRC, Ross Burton was the one who suggested the +=. > > It would be a good idea to attend the Yocto patch review meeting and > talk to you. > However, I'm not very good at English. Sorry. > > I don't often use the CVE check scripts in oe-core so I'm not sure > off-hand, how to confirm > that the BPN is the default. > > The default value is defined in cve-check.bbclass, which can be found > at the following URL: > https://github.com/openembedded/openembedded-core/blob/48e98a6e3fd26c418902b76be8865102bd903189/meta/classes/cve-check.bbclass#L31 > <https://urldefense.com/v3/__https://github.com/openembedded/openembedded-core/blob/48e98a6e3fd26c418902b76be8865102bd903189/meta/classes/cve-check.bbclass*L31__;Iw!!AjveYdw8EvQ!fmr8c03Dewg4g-sO5zs4RWftsjbML8Q3D7lw0sPbzUH0B9a9RMJFbC6fn6aGOaUO_S-vClYLLXRUdsv3E6qaTTYvcb6Quw$> > > > Ross ? > > Ken, please be patient, it the winter holiday season so Ross may not > reply for a week or two. > > Ok, I'll wait for Ross's response. > I will also be on vacation starting next week, so the next time I can > reply will be after the New Year. > > ../Randy > > By the way, the NVD records have the following values, so I think > theora alone will be fine. > > (itheora is a different product) > > $ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora > > : > > INSERT INTO PRODUCTS VALUES('CVE-2008-0797', > 'itheora','itheora','1.0_rc1','=','',''); > > INSERT INTO PRODUCTS VALUES('CVE-2024-56431', > 'xiph','theora','','','1.2.0','<'); > > $ > > Best Regards. > > -- > > Ken Kurematsu k.kurematsu@nskint.co.jp > <mailto:k.kurematsu@nskint.co.jp> > > *From:*openembedded-core@lists.openembedded.org > <mailto:openembedded-core@lists.openembedded.org><openembedded-core@lists.openembedded.org> > <mailto:openembedded-core@lists.openembedded.org>*On Behalf Of > *Ken Kurematsu via lists.openembedded.org > <https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$> > *Sent:* Tuesday, December 23, 2025 8:43 AM > *To:* Randy MacLeod <randy.macleod@windriver.com> > <mailto:randy.macleod@windriver.com>; > openembedded-core@lists.openembedded.org > <mailto:openembedded-core@lists.openembedded.org> > *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp> > <mailto:m.mizutani@nskint.co.jp>; Yoshitaka Ikeda > <ikeda@nskint.co.jp> <mailto:ikeda@nskint.co.jp>; Ken Kurematsu > <k.kurematsu@nskint.co.jp> <mailto:k.kurematsu@nskint.co.jp> > *Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT > > Hi Randy, > > Thank you for your review. > > I will reflect your comments and post v2. > > Best regards. > > -- > > Ken Kurematsu <k.kurematsu@nskint.co.jp > <mailto:k.kurematsu@nskint.co.jp>> > > *From:*Randy MacLeod <randy.macleod@windriver.com > <mailto:randy.macleod@windriver.com>> > *Sent:* Tuesday, December 23, 2025 3:58 AM > *To:* Ken Kurematsu <k.kurematsu@nskint.co.jp > <mailto:k.kurematsu@nskint.co.jp>>; > openembedded-core@lists.openembedded.org > <mailto:openembedded-core@lists.openembedded.org> > *Cc:* Masahiro Mizutani <m.mizutani@nskint.co.jp > <mailto:m.mizutani@nskint.co.jp>>; Yoshitaka Ikeda > <ikeda@nskint.co.jp <mailto:ikeda@nskint.co.jp>> > *Subject:* Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT > > Hi Ken, > > On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org > <https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$> > wrote: > > In the NVD database, the product name of libtheora is theora. > > This was set to ensure that cve-check works correctly. > > > > Signed-off-by: Ken Kurematsu<k.kurematsu@nskint.co.jp> > > --- > > meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb > > index 04de8507fb..bacaf3aee6 100644 > > --- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb > > +++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb > > @@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe > > > > UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)" > > > > +CVE_PRODUCT = "theora" > > + > > > > From YP patch review, > > Please use: > > CVE_PRODUCT += "theora" > > > > to catch both libtheora and theora > > > > > > Thanks, > > > > ../Randy > > > > > > inherit autotools pkgconfig > > > > EXTRA_OECONF = "--disable-examples --disable-doc" > > > > > > -- > > # Randy MacLeod > > # Wind River Linux > > -- > # Randy MacLeod > # Wind River Linux > > -- > Ken Kurematsu<k.kurematsu@nskint.co.jp> >
Hi Randy Thank you for your reply. Sorry, I overlooked that. It was indeed merged. Best Regards. -- Ken Kurematsu <k.kurematsu@nskint.co.jp> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Randy MacLeod via lists.openembedded.org Sent: Saturday, January 17, 2026 1:50 AM To: Ken Kurematsu <k.kurematsu@nskint.co.jp>; openembedded-core@lists.openembedded.org; Ross Burton <ross.burton@arm.com> Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp> Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT Hi Ken, On 2026-01-15 11:27 p.m., Ken Kurematsu wrote: Hi Randy, Ross Ping? Could you please comment on the post below? FYI: a8ddda6033 2025-12-19 libtheora: set CVE_PRODUCT On master, merged 8 days ago: https://git.openembedded.org/openembedded-core/commit/?id=a8ddda60332e2a3219e905c1545b5da917f855c6 I think we decided that most bugs were tracked by that name. ../Randy -- Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp> From: Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp> Sent: Wednesday, December 24, 2025 12:55 PM To: randy.macleod@windriver.com<mailto:randy.macleod@windriver.com>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>; Ross Burton <ross.burton@arm.com><mailto:ross.burton@arm.com> Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp><mailto:m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp><mailto:ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp> Subject: RE: [OE-core] [PATCH] libtheora: set CVE_PRODUCT Hi Randy, From: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>> On Behalf Of Randy MacLeod via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!fmr8c03Dewg4g-sO5zs4RWftsjbML8Q3D7lw0sPbzUH0B9a9RMJFbC6fn6aGOaUO_S-vClYLLXRUdsv3E6qaTTYi2jDOYg$> Sent: Wednesday, December 24, 2025 10:48 AM To: Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>; Ross Burton <ross.burton@arm.com<mailto:ross.burton@arm.com>> Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp<mailto:m.mizutani@nskint.co.jp>>; Yoshitaka Ikeda <ikeda@nskint.co.jp<mailto:ikeda@nskint.co.jp>> Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT On 2025-12-22 7:05 p.m., Ken Kurematsu wrote: Hi Randy, Let me confirm one thing about your comment. If I make the corrections as suggested in the comment, when I retrieve CVE_PRODUCT with bitbake-getvar, only "theora" is included, not "libtheora". I expect both libtheora and theora to be valid matches... I see. (This is the result of an old test environment, but it was the same in 1.2.0) $ bitbake-getvar -r libtheora CVE_PRODUCT # # $CVE_PRODUCT [2 operations] # set xxx/create-spdx-2.2.bbclass:11 # [_defaultval] "${BPN}" # append xxx/libtheora_1.1.1.bb<https://urldefense.com/v3/__http:/libtheora_1.1.1.bb__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdM8lL0jRA$>:23 # "theora" # pre-expansion value: # " theora" CVE_PRODUCT=" theora" but it doesn't look like that. If libtheora should be included, I think the following correction would be best. What do you think? Sorry if I misunderstood. CVE_PRODUCT = "${BPN} theora" probably not. Ummm… I replied to your email in response to a discussion in the Yocto patch review meeting. IIRC, Ross Burton was the one who suggested the +=. It would be a good idea to attend the Yocto patch review meeting and talk to you. However, I'm not very good at English. Sorry. I don't often use the CVE check scripts in oe-core so I'm not sure off-hand, how to confirm that the BPN is the default. The default value is defined in cve-check.bbclass, which can be found at the following URL: https://github.com/openembedded/openembedded-core/blob/48e98a6e3fd26c418902b76be8865102bd903189/meta/classes/cve-check.bbclass#L31<https://urldefense.com/v3/__https:/github.com/openembedded/openembedded-core/blob/48e98a6e3fd26c418902b76be8865102bd903189/meta/classes/cve-check.bbclass*L31__;Iw!!AjveYdw8EvQ!fmr8c03Dewg4g-sO5zs4RWftsjbML8Q3D7lw0sPbzUH0B9a9RMJFbC6fn6aGOaUO_S-vClYLLXRUdsv3E6qaTTYvcb6Quw$> Ross ? Ken, please be patient, it the winter holiday season so Ross may not reply for a week or two. Ok, I'll wait for Ross's response. I will also be on vacation starting next week, so the next time I can reply will be after the New Year. ../Randy By the way, the NVD records have the following values, so I think theora alone will be fine. (itheora is a different product) $ sqlite3 downloads/CVE_CHECK/nvdcve_2-2.db .dump | grep theora : INSERT INTO PRODUCTS VALUES('CVE-2008-0797', 'itheora','itheora','1.0_rc1','=','',''); INSERT INTO PRODUCTS VALUES('CVE-2024-56431', 'xiph','theora','','','1.2.0','<'); $ Best Regards. -- Ken Kurematsu k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp> From: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org><mailto:openembedded-core@lists.openembedded.org> On Behalf Of Ken Kurematsu via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$> Sent: Tuesday, December 23, 2025 8:43 AM To: Randy MacLeod <randy.macleod@windriver.com><mailto:randy.macleod@windriver.com>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp><mailto:m.mizutani@nskint.co.jp>; Yoshitaka Ikeda <ikeda@nskint.co.jp><mailto:ikeda@nskint.co.jp>; Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp> Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT Hi Randy, Thank you for your review. I will reflect your comments and post v2. Best regards. -- Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>> From: Randy MacLeod <randy.macleod@windriver.com<mailto:randy.macleod@windriver.com>> Sent: Tuesday, December 23, 2025 3:58 AM To: Ken Kurematsu <k.kurematsu@nskint.co.jp<mailto:k.kurematsu@nskint.co.jp>>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> Cc: Masahiro Mizutani <m.mizutani@nskint.co.jp<mailto:m.mizutani@nskint.co.jp>>; Yoshitaka Ikeda <ikeda@nskint.co.jp<mailto:ikeda@nskint.co.jp>> Subject: Re: [OE-core] [PATCH] libtheora: set CVE_PRODUCT Hi Ken, On 2025-12-18 11:01 p.m., Ken Kurematsu via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!eK1ouKPWLXaDnUfQ3gMs8G0Yz5LwabHD57DRjPY3zICpVSF-uVGuK9BBiDKmGkE_mqMu67Ekm6WVIz8qZmIROdOLXrdmwg$> wrote: In the NVD database, the product name of libtheora is theora. This was set to ensure that cve-check works correctly. Signed-off-by: Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp> --- meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb index 04de8507fb..bacaf3aee6 100644 --- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb +++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb @@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)" +CVE_PRODUCT = "theora" + From YP patch review, Please use: CVE_PRODUCT += "theora" to catch both libtheora and theora Thanks, ../Randy inherit autotools pkgconfig EXTRA_OECONF = "--disable-examples --disable-doc" -- # Randy MacLeod # Wind River Linux -- # Randy MacLeod # Wind River Linux -- Ken Kurematsu <k.kurematsu@nskint.co.jp><mailto:k.kurematsu@nskint.co.jp> -- # Randy MacLeod # Wind River Linux
diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb index 04de8507fb..bacaf3aee6 100644 --- a/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb +++ b/meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb @@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "ebdf77a8f5c0a8f7a9e42323844fa09502b34eb1d1fece7b5f54da41fe UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)" +CVE_PRODUCT = "theora" + inherit autotools pkgconfig EXTRA_OECONF = "--disable-examples --disable-doc"
In the NVD database, the product name of libtheora is theora. This was set to ensure that cve-check works correctly. Signed-off-by: Ken Kurematsu <k.kurematsu@nskint.co.jp> --- meta/recipes-multimedia/libtheora/libtheora_1.2.0.bb | 2 ++ 1 file changed, 2 insertions(+)