From patchwork Fri Jul 10 07:43:01 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "mark.yang" X-Patchwork-Id: 92148 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0AA12C44506 for ; Fri, 10 Jul 2026 07:44:23 +0000 (UTC) Received: from lgeamrelo12.lge.com (lgeamrelo12.lge.com [156.147.23.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7957.1783669459300140408 for ; Fri, 10 Jul 2026 00:44:20 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: lge.com, ip: 156.147.23.52, mailfrom: mark.yang@lge.com) Received: from unknown (HELO lgemrelse7q.lge.com) (156.147.1.151) by 156.147.23.52 with ESMTP; 10 Jul 2026 16:44:16 +0900 X-Original-SENDERIP: 156.147.1.151 X-Original-MAILFROM: mark.yang@lge.com Received: from unknown (HELO markyang..) (10.177.127.86) by 156.147.1.151 with ESMTP; 10 Jul 2026 16:44:16 +0900 X-Original-SENDERIP: 10.177.127.86 X-Original-MAILFROM: mark.yang@lge.com From: mark.yang@lge.com To: openembedded-core@lists.openembedded.org Cc: "mark.yang" Subject: [PATCH 1/4] python3-cryptography: set CVE_PRODUCT Date: Fri, 10 Jul 2026 16:43:01 +0900 Message-ID: <20260710074415.3341616-1-mark.yang@lge.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 07:44:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240599 From: "mark.yang" NVD lists it as cryptography.io:cryptography, and CNA lists it as pyca:cryptography, so CVE_PRODUCT is set to cryptography. Signed-off-by: mark.yang --- meta/recipes-devtools/python/python3-cryptography.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/python/python3-cryptography.bb b/meta/recipes-devtools/python/python3-cryptography.bb index 4730c34997..6138028d55 100644 --- a/meta/recipes-devtools/python/python3-cryptography.bb +++ b/meta/recipes-devtools/python/python3-cryptography.bb @@ -71,4 +71,6 @@ do_install_ptest() { cp -r ${S}/pyproject.toml ${D}${PTEST_PATH}/ } +CVE_PRODUCT = "cryptography" + BBCLASSEXTEND = "native nativesdk" From patchwork Fri Jul 10 07:43:02 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "mark.yang" X-Patchwork-Id: 92150 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3E9BAC44507 for ; Fri, 10 Jul 2026 07:44:23 +0000 (UTC) Received: from lgeamrelo13.lge.com (lgeamrelo13.lge.com [156.147.23.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7958.1783669459323100269 for ; Fri, 10 Jul 2026 00:44:20 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: lge.com, ip: 156.147.23.53, mailfrom: mark.yang@lge.com) Received: from unknown (HELO lgemrelse7q.lge.com) (156.147.1.151) by 156.147.23.53 with ESMTP; 10 Jul 2026 16:44:16 +0900 X-Original-SENDERIP: 156.147.1.151 X-Original-MAILFROM: mark.yang@lge.com Received: from unknown (HELO markyang..) (10.177.127.86) by 156.147.1.151 with ESMTP; 10 Jul 2026 16:44:16 +0900 X-Original-SENDERIP: 10.177.127.86 X-Original-MAILFROM: mark.yang@lge.com From: mark.yang@lge.com To: openembedded-core@lists.openembedded.org Cc: "mark.yang" Subject: [PATCH 2/4] python3-ply: set CVE_PRODUCT and CVE_STATUS for CVE-2025-56005 as disputed Date: Fri, 10 Jul 2026 16:43:02 +0900 Message-ID: <20260710074415.3341616-2-mark.yang@lge.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260710074415.3341616-1-mark.yang@lge.com> References: <20260710074415.3341616-1-mark.yang@lge.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 07:44:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240601 From: "mark.yang" For python3-ply, the CVE_PRODUCT should be set to ply, not python:ply. NVD registers ply as dabeaz:ply, so the default python:ply vendor prefix never matches and no CVEs are reported. CVE-2025-56005 is disputed. See https://nvd.nist.gov/vuln/detail/CVE-2025-56005 Signed-off-by: mark.yang --- meta/recipes-devtools/python/python3-ply_3.11.bb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta/recipes-devtools/python/python3-ply_3.11.bb b/meta/recipes-devtools/python/python3-ply_3.11.bb index 2c5fa3f215..ce45bbc1bd 100644 --- a/meta/recipes-devtools/python/python3-ply_3.11.bb +++ b/meta/recipes-devtools/python/python3-ply_3.11.bb @@ -14,4 +14,8 @@ RDEPENDS:${PN}:class-target += "\ python3-shell \ " +CVE_PRODUCT = "ply" +# https://nvd.nist.gov/vuln/detail/CVE-2025-56005 Disputed +CVE_STATUS[CVE-2025-56005] = "disputed: PoC fails to demonstrate code execution; picklefile is a developer-controlled parser-table cache parameter" + BBCLASSEXTEND = "native nativesdk" From patchwork Fri Jul 10 07:43:03 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "mark.yang" X-Patchwork-Id: 92149 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EFB7BC43458 for ; Fri, 10 Jul 2026 07:44:22 +0000 (UTC) Received: from lgeamrelo11.lge.com (lgeamrelo11.lge.com [156.147.23.51]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7956.1783669459258150982 for ; Fri, 10 Jul 2026 00:44:20 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: lge.com, ip: 156.147.23.51, mailfrom: mark.yang@lge.com) Received: from unknown (HELO lgemrelse7q.lge.com) (156.147.1.151) by 156.147.23.51 with ESMTP; 10 Jul 2026 16:44:16 +0900 X-Original-SENDERIP: 156.147.1.151 X-Original-MAILFROM: mark.yang@lge.com Received: from unknown (HELO markyang..) (10.177.127.86) by 156.147.1.151 with ESMTP; 10 Jul 2026 16:44:16 +0900 X-Original-SENDERIP: 10.177.127.86 X-Original-MAILFROM: mark.yang@lge.com From: mark.yang@lge.com To: openembedded-core@lists.openembedded.org Cc: "mark.yang" Subject: [PATCH 3/4] python3-pyasn1: set CVE_PRODUCT Date: Fri, 10 Jul 2026 16:43:03 +0900 Message-ID: <20260710074415.3341616-3-mark.yang@lge.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260710074415.3341616-1-mark.yang@lge.com> References: <20260710074415.3341616-1-mark.yang@lge.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 07:44:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240598 From: "mark.yang" Set the product to pyasn1. The default python:pyasn1 does not match the NVD/CNA entries which use pyasn1 as vendor, so CVEs like CVE-2026-30922 are never reported. Signed-off-by: mark.yang --- meta/recipes-devtools/python/python3-pyasn1_0.6.3.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/python/python3-pyasn1_0.6.3.bb b/meta/recipes-devtools/python/python3-pyasn1_0.6.3.bb index fb572d9da4..ee3cfc9813 100644 --- a/meta/recipes-devtools/python/python3-pyasn1_0.6.3.bb +++ b/meta/recipes-devtools/python/python3-pyasn1_0.6.3.bb @@ -14,4 +14,6 @@ RDEPENDS:${PN}:class-target += " \ python3-shell \ " +CVE_PRODUCT = "pyasn1" + BBCLASSEXTEND = "native nativesdk" From patchwork Fri Jul 10 07:43:04 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "mark.yang" X-Patchwork-Id: 92151 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31B16C44501 for ; Fri, 10 Jul 2026 07:44:23 +0000 (UTC) Received: from lgeamrelo13.lge.com (lgeamrelo13.lge.com [156.147.23.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7955.1783669459169776366 for ; Fri, 10 Jul 2026 00:44:20 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: lge.com, ip: 156.147.23.53, mailfrom: mark.yang@lge.com) Received: from unknown (HELO lgemrelse7q.lge.com) (156.147.1.151) by 156.147.23.53 with ESMTP; 10 Jul 2026 16:44:16 +0900 X-Original-SENDERIP: 156.147.1.151 X-Original-MAILFROM: mark.yang@lge.com Received: from unknown (HELO markyang..) (10.177.127.86) by 156.147.1.151 with ESMTP; 10 Jul 2026 16:44:16 +0900 X-Original-SENDERIP: 10.177.127.86 X-Original-MAILFROM: mark.yang@lge.com From: mark.yang@lge.com To: openembedded-core@lists.openembedded.org Cc: "mark.yang" Subject: [PATCH 4/4] libx11-compose-data: set CVE_PRODUCT to empty value Date: Fri, 10 Jul 2026 16:43:04 +0900 Message-ID: <20260710074415.3341616-4-mark.yang@lge.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260710074415.3341616-1-mark.yang@lge.com> References: <20260710074415.3341616-1-mark.yang@lge.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 07:44:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240600 From: "mark.yang" This recipe only builds and installs the compose data files (nls/) from the libX11 sources and contains no compiled libX11 code, so libx11 CVEs do not apply to it. When the x11 DISTRO_FEATURE is enabled this recipe is skipped and libx11 itself is built and scanned instead. Referred glibc-locale case: https://github.com/openembedded/openembedded-core/commit/1f9a963b9ff7ebe052ba54b9fcbdf7d09478dd17 Signed-off-by: mark.yang --- .../recipes-graphics/xorg-lib/libx11-compose-data_1.8.12.bb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.12.bb b/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.12.bb index 562a8cbf16..4bf9f07aba 100644 --- a/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.12.bb +++ b/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.12.bb @@ -29,3 +29,9 @@ do_install() { PACKAGES = "${PN}" FILES:${PN} = "${datadir}/X11/locale ${libdir}/X11/locale" + +# This recipe only builds and installs the compose data files (nls/) from +# the libX11 sources and contains no compiled libX11 code, so libx11 CVEs +# do not apply to it. When the x11 DISTRO_FEATURE is enabled this recipe +# is skipped and libx11 itself is built and scanned instead. +CVE_PRODUCT = ""