diff mbox series

[6/6] mpg123: set status for CVE-2006-3355

Message ID 20260413211447.564257-6-peter.marko@siemens.com
State New
Headers show
Series [1/6] xdg-utils: set status for CVE-2025-52968 | expand

Commit Message

Marko, Peter April 13, 2026, 9:14 p.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

This seems to be a bug in sbom-cve-check.
I could get a clean report with following fkie change:

           "cpeMatch": [
+            {
+              "vulnerable": true,
+              "criteria": "cpe:2.3:a:mpg123:mpg123:0.59r:*:*:*:*:*:*:*",
+              "matchCriteriaId": "1F8EEF7E-C6BB-4669-81D2-68AABF8A7686"
+            },
             {
               "vulnerable": true,
               "criteria": "cpe:2.3:a:mpg123:mpg123:pre0.59s_r11:*:*:*:*:*:*:*",
               "matchCriteriaId": "9765C6AD-E1F0-421C-B7B1-C09AD83A3DB7"
             }
           ]

However I'm not sure why adding another vulnerable version should switch
the vulnerability flag from true to false...

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb | 2 ++
 1 file changed, 2 insertions(+)

Comments

Marko, Peter April 13, 2026, 9:23 p.m. UTC | #1 
Benjamin,

This one is weird
How can someone debug the sbom-cve-check script to figure out why the match is positive or negative?
That would be great feature if there would be some option to print the comparisons.

Peter

> -----Original Message-----
> From: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Sent: Monday, April 13, 2026 11:15 PM
> To: openembedded-core@lists.openembedded.org
> Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Subject: [PATCH 6/6] mpg123: set status for CVE-2006-3355
> 
> From: Peter Marko <peter.marko@siemens.com>
> 
> This seems to be a bug in sbom-cve-check.
> I could get a clean report with following fkie change:
> 
>            "cpeMatch": [
> +            {
> +              "vulnerable": true,
> +              "criteria": "cpe:2.3:a:mpg123:mpg123:0.59r:*:*:*:*:*:*:*",
> +              "matchCriteriaId": "1F8EEF7E-C6BB-4669-81D2-68AABF8A7686"
> +            },
>              {
>                "vulnerable": true,
>                "criteria": "cpe:2.3:a:mpg123:mpg123:pre0.59s_r11:*:*:*:*:*:*:*",
>                "matchCriteriaId": "9765C6AD-E1F0-421C-B7B1-C09AD83A3DB7"
>              }
>            ]
> 
> However I'm not sure why adding another vulnerable version should switch
> the vulnerability flag from true to false...
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb b/meta/recipes-
> multimedia/mpg123/mpg123_1.33.4.bb
> index 648eb21500..dd5f8a53f5 100644
> --- a/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb
> +++ b/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb
> @@ -53,3 +53,5 @@ EXTRA_OECONF = " \
>  #| make[3]: *** [equalizer.lo] Error 1
>  ARM_INSTRUCTION_SET:armv4 = "arm"
>  ARM_INSTRUCTION_SET:armv5 = "arm"
> +
> +CVE_STATUS[CVE-2006-3355] = "fixed-version: fixed since pre0.59s_r11"
diff mbox series

Patch

diff --git a/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb b/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb
index 648eb21500..dd5f8a53f5 100644
--- a/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb
+++ b/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb
@@ -53,3 +53,5 @@  EXTRA_OECONF = " \
 #| make[3]: *** [equalizer.lo] Error 1
 ARM_INSTRUCTION_SET:armv4 = "arm"
 ARM_INSTRUCTION_SET:armv5 = "arm"
+
+CVE_STATUS[CVE-2006-3355] = "fixed-version: fixed since pre0.59s_r11"