[6/6] ffmpeg: set status for 5 CVEs

Message ID	20260426185025.13217-6-peter.marko@siemens.com
State	New
Headers	show Return-Path: <peter.marko@siemens.com> ip: 185.136.64.227, mailfrom: fm-256628-202604261851145562a10bc7000207ea-6gyq0d@rts-flowmailer.siemens.com) From: Peter Marko <peter.marko@siemens.com> To: openembedded-core@lists.openembedded.org Cc: Peter Marko <peter.marko@siemens.com> Subject: [PATCH 6/6] ffmpeg: set status for 5 CVEs Date: Sun, 26 Apr 2026 20:50:25 +0200 Message-ID: <20260426185025.13217-6-peter.marko@siemens.com> In-Reply-To: <20260426185025.13217-1-peter.marko@siemens.com> References: <20260426185025.13217-1-peter.marko@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-256628:519-21489:flowmailer
Series	[1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517 \| expand [1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517 [2/6] cargo: set status of CVE-2023-40030 [3/6] cargo: set CVE_PRODUCT [4/6] git: set status of 5 CVEs [5/6] ovmf: set status for 7 CVEs [6/6] ffmpeg: set status for 5 CVEs

Message ID

20260426185025.13217-6-peter.marko@siemens.com

State

New

Headers

From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [PATCH 6/6] ffmpeg: set status for 5 CVEs
Date: Sun, 26 Apr 2026 20:50:25 +0200
Message-ID: <20260426185025.13217-6-peter.marko@siemens.com>
In-Reply-To: <20260426185025.13217-1-peter.marko@siemens.com>
References: <20260426185025.13217-1-peter.marko@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Feedback-ID: 519:519-256628:519-21489:flowmailer

Series

[1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517 | expand

Commit Message

Peter Marko April 26, 2026, 6:50 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

These reappeared after update of sbom-cve-check tooling.
Fixed version found by links from Debian security tracker.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Benjamin Robin April 27, 2026, 7:44 a.m. UTC | #1

Hello Peter,

On Sunday, April 26, 2026 at 8:50 PM, Peter Marko wrote:
> From: Peter Marko <peter.marko@siemens.com>
> 
> These reappeared after update of sbom-cve-check tooling.
> Fixed version found by links from Debian security tracker.
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb
> index 7bb7de3d25..9780abe184 100644
> --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb
> +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb
> @@ -176,6 +176,11 @@ CVE_STATUS_GROUPS = "CVE_STATUS_WRONG_CPE"
>  CVE_STATUS_WRONG_CPE = "CVE-2023-51791 CVE-2023-51793 CVE-2023-51794 CVE-2023-51795 CVE-2023-51796 CVE-2023-51797 CVE-2023-51798 CVE-2025-22921"
>  CVE_STATUS_WRONG_CPE[status] = "fixed-version: these CVEs are fixed in used version"
>  
> +CVE_STATUS[CVE-2022-2566] = "fixed-version: these CVEs are fixed since v5.1.1"
> +CVE_STATUS[CVE-2025-9951] = "fixed-version: these CVEs are fixed since v8.0"
>  CVE_STATUS[CVE-2025-25468] = "fixed-version: these CVEs are fixed since v8.0"
>  CVE_STATUS[CVE-2025-25469] = "fixed-version: these CVEs are fixed since v8.0"
>  CVE_STATUS[CVE-2025-12343] = "fixed-version: this CVE are fixed since v8.0"
> +CVE_STATUS[CVE-2025-59729] = "fixed-version: this CVE are fixed since v8.0"
> +CVE_STATUS[CVE-2025-59730] = "fixed-version: this CVE are fixed since v8.0"

> +CVE_STATUS[CVE-2025-69693] = "fixed-version: this CVE are fixed since v8.1"

Why the CVE-2025-69693 is marked has fixed?

It is affecting the version 8.0.1 which is the current version of the recipe,
as reported by NVD:
https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-69693

{ vulnerable: true, criteria: "cpe:2.3:a:ffmpeg:ffmpeg:8.0.1:*:*:*:*:*:*:*", 
  matchCriteriaId: "7F5CACA2-6FB6-4D6D-92D0-C9FF0E7CDB14" }

I did not investigate in which version this CVE was fixed.

Peter Marko April 27, 2026, 10:07 a.m. UTC | #2

> -----Original Message-----
> From: Benjamin Robin <benjamin.robin@bootlin.com>
> Sent: Monday, April 27, 2026 9:45 AM
> To: openembedded-core@lists.openembedded.org; Marko, Peter (FT D EU SK
> BFS1) <Peter.Marko@siemens.com>
> Subject: Re: [PATCH 6/6] ffmpeg: set status for 5 CVEs
> 
> Hello Peter,
> 
> On Sunday, April 26, 2026 at 8:50 PM, Peter Marko wrote:
> > From: Peter Marko <peter.marko@siemens.com>
> >
> > These reappeared after update of sbom-cve-check tooling.
> > Fixed version found by links from Debian security tracker.
> >
> > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > ---
> >  meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb | 5 +++++
> >  1 file changed, 5 insertions(+)
> >
> > diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb b/meta/recipes-
> multimedia/ffmpeg/ffmpeg_8.0.1.bb
> > index 7bb7de3d25..9780abe184 100644
> > --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb
> > +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb
> > @@ -176,6 +176,11 @@ CVE_STATUS_GROUPS =
> "CVE_STATUS_WRONG_CPE"
> >  CVE_STATUS_WRONG_CPE = "CVE-2023-51791 CVE-2023-51793 CVE-
> 2023-51794 CVE-2023-51795 CVE-2023-51796 CVE-2023-51797 CVE-2023-
> 51798 CVE-2025-22921"
> >  CVE_STATUS_WRONG_CPE[status] = "fixed-version: these CVEs are fixed in
> used version"
> >
> > +CVE_STATUS[CVE-2022-2566] = "fixed-version: these CVEs are fixed since
> v5.1.1"
> > +CVE_STATUS[CVE-2025-9951] = "fixed-version: these CVEs are fixed since
> v8.0"
> >  CVE_STATUS[CVE-2025-25468] = "fixed-version: these CVEs are fixed since
> v8.0"
> >  CVE_STATUS[CVE-2025-25469] = "fixed-version: these CVEs are fixed since
> v8.0"
> >  CVE_STATUS[CVE-2025-12343] = "fixed-version: this CVE are fixed since
> v8.0"
> > +CVE_STATUS[CVE-2025-59729] = "fixed-version: this CVE are fixed since
> v8.0"
> > +CVE_STATUS[CVE-2025-59730] = "fixed-version: this CVE are fixed since
> v8.0"
> 
> > +CVE_STATUS[CVE-2025-69693] = "fixed-version: this CVE are fixed since
> v8.1"
> 
> Why the CVE-2025-69693 is marked has fixed?
> 
> It is affecting the version 8.0.1 which is the current version of the recipe,
> as reported by NVD:
> https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-69693

Thanks for noticing.
I guess I just want to have the cleanup finally finished and didn't think about the current version too much, just that there is already a version with a fix out.
Will send a v2 shortly.

> 
> { vulnerable: true, criteria: "cpe:2.3:a:ffmpeg:ffmpeg:8.0.1:*:*:*:*:*:*:*",
>   matchCriteriaId: "7F5CACA2-6FB6-4D6D-92D0-C9FF0E7CDB14" }
> 
> I did not investigate in which version this CVE was fixed.
> 
> --
> Benjamin Robin, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
> 
>

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb
index 7bb7de3d25..9780abe184 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb
@@ -176,6 +176,11 @@  CVE_STATUS_GROUPS = "CVE_STATUS_WRONG_CPE"
 CVE_STATUS_WRONG_CPE = "CVE-2023-51791 CVE-2023-51793 CVE-2023-51794 CVE-2023-51795 CVE-2023-51796 CVE-2023-51797 CVE-2023-51798 CVE-2025-22921"
 CVE_STATUS_WRONG_CPE[status] = "fixed-version: these CVEs are fixed in used version"
 
+CVE_STATUS[CVE-2022-2566] = "fixed-version: these CVEs are fixed since v5.1.1"
+CVE_STATUS[CVE-2025-9951] = "fixed-version: these CVEs are fixed since v8.0"
 CVE_STATUS[CVE-2025-25468] = "fixed-version: these CVEs are fixed since v8.0"
 CVE_STATUS[CVE-2025-25469] = "fixed-version: these CVEs are fixed since v8.0"
 CVE_STATUS[CVE-2025-12343] = "fixed-version: this CVE are fixed since v8.0"
+CVE_STATUS[CVE-2025-59729] = "fixed-version: this CVE are fixed since v8.0"
+CVE_STATUS[CVE-2025-59730] = "fixed-version: this CVE are fixed since v8.0"
+CVE_STATUS[CVE-2025-69693] = "fixed-version: this CVE are fixed since v8.1"

[6/6] ffmpeg: set status for 5 CVEs

Commit Message

Comments

Patch