[2/2] xwayland: set status for CVE-2024-21886

From: Peter Marko <peter.marko@siemens.com>

Reference [1]:
Introduced in: xorg-server-1.13.0 (2012)
Fixed in: xorg-server-21.1.11 and xwayland-23.2.4

Note that the status should be "fixed-version", however that does not
seem to work correctly with the new sbom-cve-check.

[1] https://lists.x.org/archives/xorg/2024-January/061525.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-graphics/xwayland/xwayland_24.1.9.bb | 2 ++
 1 file changed, 2 insertions(+)

> -----Original Message-----
> From: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Sent: Sunday, April 12, 2026 8:52 PM
> To: openembedded-core@lists.openembedded.org
> Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Subject: [PATCH 2/2] xwayland: set status for CVE-2024-21886
> 
> From: Peter Marko <peter.marko@siemens.com>
> 
> Reference [1]:
> Introduced in: xorg-server-1.13.0 (2012)
> Fixed in: xorg-server-21.1.11 and xwayland-23.2.4
> 
> Note that the status should be "fixed-version", however that does not	
> seem to work correctly with the new sbom-cve-check.

This looks like a bug in sbom-cve-check (or vex?) code.
Any idea why certain manual CVE_STATUSes would be overridden by cvelistV5 status?

> 
> [1] https://lists.x.org/archives/xorg/2024-January/061525.html
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  meta/recipes-graphics/xwayland/xwayland_24.1.9.bb | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb b/meta/recipes-
> graphics/xwayland/xwayland_24.1.9.bb
> index df1bb7e31b..6c10eddb8e 100644
> --- a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb
> +++ b/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb
> @@ -14,6 +14,8 @@ SRC_URI[sha256sum] =
> "f297af27a84508db9b80d1cbbcc69c3801da38eb64c72f3b5b50f58245
> 
>  UPSTREAM_CHECK_REGEX = "xwayland-(?P<pver>\d+(\.(?!90\d)\d+)+)\.tar"
> 
> +CVE_STATUS[CVE-2024-21886] = "version-not-in-range: fixed since xwayland-
> 23.2.4"
> +
>  inherit meson features_check pkgconfig
>  REQUIRED_DISTRO_FEATURES = "x11 opengl"
>

Hello Peter,

On Sunday, April 12, 2026 at 9:04 PM, Marko, Peter wrote:
> > From: Peter Marko <peter.marko@siemens.com>
> > 
> > Reference [1]:
> > Introduced in: xorg-server-1.13.0 (2012)
> > Fixed in: xorg-server-21.1.11 and xwayland-23.2.4
> > 
> > Note that the status should be "fixed-version", however that does not	
> > seem to work correctly with the new sbom-cve-check.
> 
> This looks like a bug in sbom-cve-check (or vex?) code.
> Any idea why certain manual CVE_STATUSes would be overridden by cvelistV5 status?

This should not be possible. With default configuration a manual
annotation cannot be overwritten. sbom-cve-check directly use the
annotation without any extra processing.

> > diff --git a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb b/meta/recipes-
> > graphics/xwayland/xwayland_24.1.9.bb
> > index df1bb7e31b..6c10eddb8e 100644
> > --- a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb
> > +++ b/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb
> > @@ -14,6 +14,8 @@ SRC_URI[sha256sum] =
> > "f297af27a84508db9b80d1cbbcc69c3801da38eb64c72f3b5b50f58245
> > 
> >  UPSTREAM_CHECK_REGEX = "xwayland-(?P<pver>\d+(\.(?!90\d)\d+)+)\.tar"
> > 
> > +CVE_STATUS[CVE-2024-21886] = "version-not-in-range: fixed since xwayland-
> > 23.2.4"
> > +
> >  inherit meson features_check pkgconfig
> >  REQUIRED_DISTRO_FEATURES = "x11 opengl"

What you see is perfectly normal.
The recipe is named "xwayland", without a CVE_PRODUCT specified, so the
default CPE is "cpe:2.3:*:*:xwayland:24.1.9:*:*:*:*:*:*:*"

The CVE is associated with xorg-server and with xwayland.
And if you notice, in the report the CVE is linked to xorg-server
and to xwayland: The CVE is referenced twice in the report.
When associated with xorg-server the annotation does not work,
but when associated with xwayland it works.

I guess you also need to add the CVE_STATUS in xserver-xorg recipe.