| Message ID | 20260426185025.13217-1-peter.marko@siemens.com |
|---|---|
| State | New |
| Headers | show |
| Series | [1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517 | expand |
> -----Original Message----- > From: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > Sent: Sunday, April 26, 2026 8:50 PM > To: openembedded-core@lists.openembedded.org > Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > Subject: [PATCH 1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517 > > From: Peter Marko <peter.marko@siemens.com> > > These CVEs are for sudo-rs, not sudo. > It can be easily deducted from first word in NVD descripotion. > Also cvelistV5 product is "sudo-re". > > It looks line that new version of sbom-cve-check matches product with > startsWith instead of equals? Benjamin, any idea about this topic? > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > --- > meta/recipes-extended/sudo/sudo_1.9.17p2.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-extended/sudo/sudo_1.9.17p2.bb b/meta/recipes- > extended/sudo/sudo_1.9.17p2.bb > index d6ee881f8c..12f81c5d4a 100644 > --- a/meta/recipes-extended/sudo/sudo_1.9.17p2.bb > +++ b/meta/recipes-extended/sudo/sudo_1.9.17p2.bb > @@ -60,3 +60,6 @@ RDEPENDS:${PN} += "${SUDO_PACKAGES}" > > FILES:${PN}-sudo = "${bindir}/sudo ${bindir}/sudoedit" > FILES:${PN}-lib = "${localstatedir} ${libexecdir} ${sysconfdir} ${libdir} > ${nonarch_libdir}" > + > +CVE_STATUS[CVE-2025-64170] = "cpe-incorrect: this CVE is for sudo-rs" > +CVE_STATUS[CVE-2025-64517] = "cpe-incorrect: this CVE is for sudo-rs"
On Sunday, April 26, 2026 at 9:17 PM, Marko, Peter wrote: > > > -----Original Message----- > > From: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > > Sent: Sunday, April 26, 2026 8:50 PM > > To: openembedded-core@lists.openembedded.org > > Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > > Subject: [PATCH 1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517 > > > > From: Peter Marko <peter.marko@siemens.com> > > > > These CVEs are for sudo-rs, not sudo. > > It can be easily deducted from first word in NVD descripotion. > > Also cvelistV5 product is "sudo-re". > > > > It looks line that new version of sbom-cve-check matches product with > > startsWith instead of equals? > > Benjamin, any idea about this topic? Yes, sadly the CPE of sudo-rs is trifectatech:sudo. Why this is the official CPE of sudo-rs, I don't know... What it is happening: - From https://cveawg.mitre.org/api/cve/CVE-2025-64170 we extract vendor and product name, then we look the products database which is built in sbom-cve-check. - The returned CPE are "memorysafety:sudo", "trifectatech:sudo" - Then we check if the CPE in the SBOM matches with these CPE. Currently sudo is declared as: *:sudo, which matches trifectatech:sudo. The easy fix is to declare the proper CPE of sudo using CVE_PRODUCT, which should be set to "sudo_project:sudo". This behavior is documented here: https://sbom-cve-check.readthedocs.io/en/latest/design.html#find-applicable-cve > > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > > --- > > meta/recipes-extended/sudo/sudo_1.9.17p2.bb | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/meta/recipes-extended/sudo/sudo_1.9.17p2.bb b/meta/recipes- > > extended/sudo/sudo_1.9.17p2.bb > > index d6ee881f8c..12f81c5d4a 100644 > > --- a/meta/recipes-extended/sudo/sudo_1.9.17p2.bb > > +++ b/meta/recipes-extended/sudo/sudo_1.9.17p2.bb > > @@ -60,3 +60,6 @@ RDEPENDS:${PN} += "${SUDO_PACKAGES}" > > > > FILES:${PN}-sudo = "${bindir}/sudo ${bindir}/sudoedit" > > FILES:${PN}-lib = "${localstatedir} ${libexecdir} ${sysconfdir} ${libdir} > > ${nonarch_libdir}" > > + > > +CVE_STATUS[CVE-2025-64170] = "cpe-incorrect: this CVE is for sudo-rs" > > +CVE_STATUS[CVE-2025-64517] = "cpe-incorrect: this CVE is for sudo-rs" >
diff --git a/meta/recipes-extended/sudo/sudo_1.9.17p2.bb b/meta/recipes-extended/sudo/sudo_1.9.17p2.bb index d6ee881f8c..12f81c5d4a 100644 --- a/meta/recipes-extended/sudo/sudo_1.9.17p2.bb +++ b/meta/recipes-extended/sudo/sudo_1.9.17p2.bb @@ -60,3 +60,6 @@ RDEPENDS:${PN} += "${SUDO_PACKAGES}" FILES:${PN}-sudo = "${bindir}/sudo ${bindir}/sudoedit" FILES:${PN}-lib = "${localstatedir} ${libexecdir} ${sysconfdir} ${libdir} ${nonarch_libdir}" + +CVE_STATUS[CVE-2025-64170] = "cpe-incorrect: this CVE is for sudo-rs" +CVE_STATUS[CVE-2025-64517] = "cpe-incorrect: this CVE is for sudo-rs"