From patchwork Fri Apr 10 13:10:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 85831 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 09C09F44868 for ; Fri, 10 Apr 2026 13:11:13 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.156112.1775826665250257337 for ; Fri, 10 Apr 2026 06:11:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=rI9/sFB9; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id B2B3E4E429B1 for ; Fri, 10 Apr 2026 13:11:03 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 89F0D603F0; Fri, 10 Apr 2026 13:11:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 2109F1045001B; Fri, 10 Apr 2026 15:11:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1775826662; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=gjvUFLuzT4zQp2RWZ1gOwG0K4OCcBBp0bIxviaKoJgA=; b=rI9/sFB9RqNwgG/dSp3jCfSEJNFxjJDN6KR1/9Ovvil8j6TXMUY4YxAEW0+f2X0ePTnwFX Aibv8B1z3VqjqC6foIWiIZgfHAk2m96BAGvex6V0Z1FI7kruml9KZXGTVDa8vb6k0EoCzC enuRQQb4aR8Pdkct4Mpz+86//Ev4Gx2x9sHwPUi4Wq8CSXs60elL63GrcnufZ6HSi6eUua MA5P1m5zvlMJGqfHCKCtS2jAKzrSUAbOElKQ/YK6xLHKDWaM0657WEcArMFb4vAnUTHRhb HMMCMehebpUfyIznqDQkD6HbV3v7OYa1paIBWZLCideYyZf12RR+9znGaeBPOQ== From: Benjamin Robin Date: Fri, 10 Apr 2026 15:10:43 +0200 Subject: [PATCH 1/4] cve_check: Improve escaping of special characters in CPE 2.3 MIME-Version: 1.0 Message-Id: <20260410-fix-cpe-escaping-v1-1-ed63c2477f46@bootlin.com> References: <20260410-fix-cpe-escaping-v1-0-ed63c2477f46@bootlin.com> In-Reply-To: <20260410-fix-cpe-escaping-v1-0-ed63c2477f46@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, ross.burton@arm.com, peter.marko@siemens.com, stefano.tondo.ext@siemens.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, Benjamin Robin X-Mailer: b4 0.15.1 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Apr 2026 13:11:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235026 According to the NISTIR 7695 specification [1], multiple characters require escaping when using formatted strings (e.g., `cpe:2.3:...`), which use backslash escaping. In "Figure 6-3. ABNF for Formatted String Binding"", the characters that need escaping are referenced by "escape", "special", and "punc". More characters must be escaped than just `\`, `?`, `*`, `:`, and `+`. Additionally, use `maketrans()` with `translate()`, which is more efficient than a simple `replace()`. [1] https://nvlpubs.nist.gov/nistpubs/legacy/ir/nistir7695.pdf Signed-off-by: Benjamin Robin --- meta/lib/oe/cve_check.py | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index 65557435149a..22b5062c977c 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -205,33 +205,29 @@ def get_patched_cves(d): return patched_cves +_CPE23_ENCODE_TRANS_TABLE = str.maketrans( + {c: f"\\{c}" for c in [ + "\\", "!", '"', "#", "$", "%", "&", "'", "(", ")", "+", ",", "/", ":", ";", + "<", "=", ">", "@", "[", "]", "^", "`", "{", "|", "}", "~", "?", "*" + ]} +) + + def cpe_escape(value): - r""" + """ Escape special characters for CPE 2.3 formatted string binding. CPE 2.3 formatted string binding (cpe:2.3:...) uses backslash escaping for special meta-characters, NOT percent-encoding. Percent-encoding is only used in the URI binding (cpe:/...). - According to NISTIR 7695, these characters need escaping: - - Backslash (\) -> \\ - - Question mark (?) -> \? - - Asterisk (*) -> \* - - Colon (:) -> \: - - Plus (+) -> \+ (required by some SBOM validators) + According to NISTIR 7695, various characters referenced in the "Figure 6-3. + ABNF for Formatted String Binding" need escaping: escape, special and punc. """ if not value: return value - # Escape special meta-characters for CPE 2.3 formatted string binding - # Order matters: escape backslash first to avoid double-escaping - result = value.replace('\\', '\\\\') - result = result.replace('?', '\\?') - result = result.replace('*', '\\*') - result = result.replace(':', '\\:') - result = result.replace('+', '\\+') - - return result + return value.translate(_CPE23_ENCODE_TRANS_TABLE) def get_cpe_ids(cve_product, version): From patchwork Fri Apr 10 13:10:44 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 85828 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EE7FFF44866 for ; Fri, 10 Apr 2026 13:11:12 +0000 (UTC) Received: from smtpout-02.galae.net (smtpout-02.galae.net [185.246.84.56]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.155767.1775826666149044866 for ; Fri, 10 Apr 2026 06:11:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=XzI4x9v6; spf=pass (domain: bootlin.com, ip: 185.246.84.56, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-02.galae.net (Postfix) with ESMTPS id A68B01A325A for ; Fri, 10 Apr 2026 13:11:04 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 7D4A4603F0; Fri, 10 Apr 2026 13:11:04 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 345BB10450021; Fri, 10 Apr 2026 15:11:03 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1775826663; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=lQ9KwcqAWvv8g1ZZt9uxYuIMEpqx/KyDd+el8QlgBF0=; b=XzI4x9v6LsToG0XJhOLRNgkUUAgdMg4Uj6B+bLUDAQleydJ0SwAdcUoX8IUF+9azvhw6o7 yUj3Bongi4+Mk6dTUqeonb6+56X8EYdhoCjNCEYQxYz8c/A0OWkxFQqzLIrp9jUB+diLl0 oNBQQ/ZPsS5yAeeBEp4XLDJUz7x97VExkgtSubUqdgOvJkonAU0RDuKUB6gT+oXiUo0v9z LcDuEuY9NH0+uypu1BcWu2qBsON+qsrWi0LAqUWoQmpMNaH3FDOWVh69d0RWcYZ+OFtL7Z 8RtTs/5n9AdQ9YP4ODaDK06oCajj6K/8qNnyHpOPdlmGrKlzj1/GYCqgjhQBHA== From: Benjamin Robin Date: Fri, 10 Apr 2026 15:10:44 +0200 Subject: [PATCH 2/4] cve_check: do not break old CVE_PRODUCT with escaped + MIME-Version: 1.0 Message-Id: <20260410-fix-cpe-escaping-v1-2-ed63c2477f46@bootlin.com> References: <20260410-fix-cpe-escaping-v1-0-ed63c2477f46@bootlin.com> In-Reply-To: <20260410-fix-cpe-escaping-v1-0-ed63c2477f46@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, ross.burton@arm.com, peter.marko@siemens.com, stefano.tondo.ext@siemens.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, Benjamin Robin X-Mailer: b4 0.15.1 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Apr 2026 13:11:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235025 For now, until all layer are fixed, replace already escaped plus (+) with a simple + before doing the escaping. Signed-off-by: Benjamin Robin --- meta/lib/oe/cve_check.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index 22b5062c977c..e6104a279d5e 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -227,6 +227,9 @@ def cpe_escape(value): if not value: return value + # Do not break compatibility + value = value.replace("\\+", "+") + return value.translate(_CPE23_ENCODE_TRANS_TABLE) From patchwork Fri Apr 10 13:10:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 85830 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 288FAF4486A for ; Fri, 10 Apr 2026 13:11:13 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.155768.1775826667570255258 for ; Fri, 10 Apr 2026 06:11:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=KbWp8Ls7; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id DC1BC4E429B3; Fri, 10 Apr 2026 13:11:05 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id B3EE4603F0; Fri, 10 Apr 2026 13:11:05 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 2EEB310450022; Fri, 10 Apr 2026 15:11:04 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1775826665; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=lvH0ODqfw5xPUtzjHn2hSQeo0fMX71o2mg05hWQKJM0=; b=KbWp8Ls7do+azmH8/QE8zU4ODzCogPpE8GAuZNZah4xa77Ocp81hCHZff+W8Z8cZXbV5ai zeADqS5rFoEBimykTrKP+jFx+LfqhZvzEIH2eRYbDNpya+Vw5AQ2IT40yP0+BZFI44aVWZ FwBImkwTKpcqD3Mitzda4oc85I0YAIQWQ7mYXIv6ijwJ14oXdHVpm8w/+6tNh/rANcxfGX 7oTaUXIglupaaB+W//7jGf2HlvvxjAhHKMoUnsXU+D+eIVx33SEb8jmnuJKgXMIBJ4iVg2 aa86gQEz+PudVt0V7T4yCwhXEZUORz1dDIKKN8L08gKJ9O+TfTwWXZaldsPdNg== From: Benjamin Robin Date: Fri, 10 Apr 2026 15:10:45 +0200 Subject: [PATCH 3/4] gtk+: Remove escaping of the plus sign in `CVE_PRODUCT` MIME-Version: 1.0 Message-Id: <20260410-fix-cpe-escaping-v1-3-ed63c2477f46@bootlin.com> References: <20260410-fix-cpe-escaping-v1-0-ed63c2477f46@bootlin.com> In-Reply-To: <20260410-fix-cpe-escaping-v1-0-ed63c2477f46@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, ross.burton@arm.com, peter.marko@siemens.com, stefano.tondo.ext@siemens.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, Benjamin Robin X-Mailer: b4 0.15.1 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Apr 2026 13:11:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235027 The `+` character is now properly escaped by `cve_check.cpe_escape()` Signed-off-by: Benjamin Robin --- meta/recipes-gnome/gtk+/gtk+3_3.24.51.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-gnome/gtk+/gtk+3_3.24.51.bb b/meta/recipes-gnome/gtk+/gtk+3_3.24.51.bb index 35f99b2de0c1..51a293c1d8ee 100644 --- a/meta/recipes-gnome/gtk+/gtk+3_3.24.51.bb +++ b/meta/recipes-gnome/gtk+/gtk+3_3.24.51.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2 \ file://gdk/gdk.h;endline=25;md5=c920ce39dc88c6f06d3e7c50e08086f2 \ file://tests/testgtk.c;endline=25;md5=cb732daee1d82af7a2bf953cf3cf26f1" -CVE_PRODUCT = "gnome:gtk gtk:gtk\+" +CVE_PRODUCT = "gnome:gtk gtk:gtk+" DEPENDS = "glib-2.0 cairo pango atk jpeg libpng gdk-pixbuf gdk-pixbuf-native" From patchwork Fri Apr 10 13:10:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 85829 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2FAE6F44869 for ; Fri, 10 Apr 2026 13:11:13 +0000 (UTC) Received: from smtpout-02.galae.net (smtpout-02.galae.net [185.246.84.56]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.156114.1775826668380847405 for ; Fri, 10 Apr 2026 06:11:08 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=QT+RFLf5; spf=pass (domain: bootlin.com, ip: 185.246.84.56, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-02.galae.net (Postfix) with ESMTPS id D8E901A325A; Fri, 10 Apr 2026 13:11:06 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id B005B603F0; Fri, 10 Apr 2026 13:11:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 564F21045001A; Fri, 10 Apr 2026 15:11:05 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1775826666; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=18Podp2LLi4Gx5nsEog4+6cfoh4+OtK+2C6wCDoygfc=; b=QT+RFLf5rjLIh5Ye8SnKUGs4AbU/BqbZXUD3BGFf1f6Uklk0YTDo1nGnZh2NeDqApWmibw N5tCEnqrjA96zu7d592L/AAtlK7HoxhsxoFiggCLvB1OfvKY+oMNGG6aO10YKgqrHtKl9a ZMBXxe/JiE4qAzPfKTwnYmNgTQb3UyagQWmbiio6shL2dQSv5ECx4+3W6VU2C11yzT16E4 zSpya2NkRqQE6j8R7OrVvhqVuNON7XuLey6nUyuktVmmgrerG4m8Ix/Smnxr+obiG4eORF bHREQZU0o+dJNKDMhJTb2vav8/MyCdv9ohEAlQBzQsbzUDaC1wU/p4JtGdV/lg== From: Benjamin Robin Date: Fri, 10 Apr 2026 15:10:46 +0200 Subject: [PATCH 4/4] webkitgtk: Remove escaping of the plus sign in `CVE_PRODUCT` MIME-Version: 1.0 Message-Id: <20260410-fix-cpe-escaping-v1-4-ed63c2477f46@bootlin.com> References: <20260410-fix-cpe-escaping-v1-0-ed63c2477f46@bootlin.com> In-Reply-To: <20260410-fix-cpe-escaping-v1-0-ed63c2477f46@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, ross.burton@arm.com, peter.marko@siemens.com, stefano.tondo.ext@siemens.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, Benjamin Robin X-Mailer: b4 0.15.1 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Apr 2026 13:11:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235028 The `+` character is now properly escaped by `cve_check.cpe_escape()` Signed-off-by: Benjamin Robin --- meta/recipes-sato/webkit/webkitgtk_2.50.6.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-sato/webkit/webkitgtk_2.50.6.bb b/meta/recipes-sato/webkit/webkitgtk_2.50.6.bb index 941cbe930416..5d2c970b29e3 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.50.6.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.50.6.bb @@ -25,7 +25,7 @@ inherit cmake pkgconfig gobject-introspection perlnative features_check upstream ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}" REQUIRED_DISTRO_FEATURES = "opengl" -CVE_PRODUCT = "webkitgtk webkitgtk\+" +CVE_PRODUCT = "webkitgtk webkitgtk+" DEPENDS += " \ ruby-native \