From mboxrd@z Thu Jan  1 00:00:00 1970
From: Efraim Flashner <efraim@flashner.co.il>
Subject: bug#36571: icecat's CPE data is wrong
Date: Wed, 10 Jul 2019 10:05:40 +0300
Message-ID: <20190710070540.GN1085@macbook41>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="xexMVKTdXPhpRiVT"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:55368)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hl6fz-0000iI-Ny
 for bug-guix@gnu.org; Wed, 10 Jul 2019 03:06:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hl6fy-0001MQ-IN
 for bug-guix@gnu.org; Wed, 10 Jul 2019 03:06:03 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:54181)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1hl6fy-0001MH-Ep
 for bug-guix@gnu.org; Wed, 10 Jul 2019 03:06:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hl6fy-0002VF-6s
 for bug-guix@gnu.org; Wed, 10 Jul 2019 03:06:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.36571.B.15627423499600@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:55272)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <efraim@flashner.co.il>) id 1hl6fi-0000V2-1d
 for bug-guix@gnu.org; Wed, 10 Jul 2019 03:05:47 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <efraim@flashner.co.il>) id 1hl6fg-00019q-Sx
 for bug-guix@gnu.org; Wed, 10 Jul 2019 03:05:45 -0400
Received: from flashner.co.il ([178.62.234.194]:59810)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <efraim@flashner.co.il>) id 1hl6fg-00018c-Ia
 for bug-guix@gnu.org; Wed, 10 Jul 2019 03:05:44 -0400
Received: from localhost (unknown [94.230.83.247])
 by flashner.co.il (Postfix) with ESMTPSA id F328240271
 for <bug-guix@gnu.org>; Wed, 10 Jul 2019 07:05:41 +0000 (UTC)
Content-Disposition: inline
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 36571@debbugs.gnu.org


--xexMVKTdXPhpRiVT
Content-Type: multipart/mixed; boundary="prC3/KjdfqNV7evK"
Content-Disposition: inline


--prC3/KjdfqNV7evK
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

currently we have:
(cpe-name . "firefox_esr")
(cpe-version . ,(first (string-split version #\-)

and it should be:
(cpe-name . "firefox")
(cpe-version . ,(first (string-split version #\.)

however, this returns results for firefox@60, which I'm pretty sure
doesn't take into account that we're not running 60.0.0 but 60.8.0. With
the change 'guix lint -c cve iceat' returns:
icecat@60.8.0-guix1: probably vulnerable to CVE-2019-9788, CVE-2019-9789, C=
VE-2019-9791, CVE-2019-9792, CVE-2019-9793, CVE-2019-9794, CVE-2019-9795, C=
VE-2019-9796, CVE-2019-9797, CVE-2019-9798, CVE-2019-9799, CVE-2019-9801, C=
VE-2019-9802, CVE-2019-9803, CVE-2019-9804, CVE-2019-9805, CVE-2019-9806, C=
VE-2019-9807, CVE-2019-9808, CVE-2019-9809, CVE-2019-9810, CVE-2019-9813, C=
VE-2018-12358, CVE-2018-12359, CVE-2018-12360, CVE-2018-12361, CVE-2018-123=
62, CVE-2018-12363, CVE-2018-12364, CVE-2018-12365, CVE-2018-12366, CVE-201=
8-12367, CVE-2018-12368, CVE-2018-12369, CVE-2018-12370, CVE-2018-12375, CV=
E-2018-12376, CVE-2018-12377, CVE-2018-12378, CVE-2018-12379, CVE-2018-1238=
1, CVE-2018-12383, CVE-2018-12385, CVE-2018-12386, CVE-2018-12387, CVE-2018=
-12388, CVE-2018-12390, CVE-2018-12391, CVE-2018-12392, CVE-2018-12395, CVE=
-2018-12396, CVE-2018-12397, CVE-2018-12398, CVE-2018-12399, CVE-2018-12400=
, CVE-2018-12401, CVE-2018-12402, CVE-2018-12403, CVE-2018-12405, CVE-2018-=
12406, CVE-2018-12407, CVE-2018-18492, CVE-2018-18493, CVE-2018-18494, CVE-=
2018-18495, CVE-2018-18496, CVE-2018-18497, CVE-2018-18498, CVE-2018-18499,=
 CVE-2018-18500, CVE-2018-18501, CVE-2018-18502, CVE-2018-18503, CVE-2018-1=
8504, CVE-2018-18505, CVE-2018-18506, CVE-2018-18510, CVE-2018-5150, CVE-20=
18-5151, CVE-2018-5152, CVE-2018-5153, CVE-2018-5154, CVE-2018-5155, CVE-20=
18-5156, CVE-2018-5157, CVE-2018-5158, CVE-2018-5159, CVE-2018-5160, CVE-20=
18-5163, CVE-2018-5164, CVE-2018-5166, CVE-2018-5167, CVE-2018-5168, CVE-20=
18-5169, CVE-2018-5172, CVE-2018-5173, CVE-2018-5174, CVE-2018-5175, CVE-20=
18-5176, CVE-2018-5177, CVE-2018-5179, CVE-2018-5180, CVE-2018-5181, CVE-20=
18-5182, CVE-2018-5186, CVE-2018-5187, CVE-2018-5188

which just seems like too much.

--=20
Efraim Flashner   <efraim@flashner.co.il>   =D7=90=D7=A4=D7=A8=D7=99=D7=9D =
=D7=A4=D7=9C=D7=A9=D7=A0=D7=A8
GPG key =3D A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

--prC3/KjdfqNV7evK
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment;
	filename="0001-gnu-icecat-Update-cpe-name.patch"
Content-Transfer-Encoding: quoted-printable

=46rom 2eb51419218e77c4ccb517c642e8fc7e40724973 Mon Sep 17 00:00:00 2001
=46rom: Efraim Flashner <efraim@flashner.co.il>
Date: Wed, 10 Jul 2019 09:59:03 +0300
Subject: [PATCH] gnu: icecat: Update cpe-name.

* gnu/packages/gnuzilla.scm (icecat)[properties]: Update cpe-name,
cpe-version.
---
 gnu/packages/gnuzilla.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index ff382b2388..c3931c2594 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -939,8 +939,8 @@ features built-in privacy-protecting features.")
     (license license:mpl2.0)     ;and others, see toolkit/content/license.=
html
     (properties
      `((ftp-directory . "/gnu/gnuzilla")
-       (cpe-name . "firefox_esr")
-       (cpe-version . ,(first (string-split version #\-)))))))
+       (cpe-name . "firefox")
+       (cpe-version . ,(first (string-split version #\.)))))))
=20
 (define-public conkeror
   ;; The Conkeror web browser relied on XULRunner, which IceCat > 50 no lo=
nger
--=20
2.22.0


--prC3/KjdfqNV7evK--

--xexMVKTdXPhpRiVT
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAl0ljkMACgkQQarn3Mo9
g1HvExAAn7n3pkIEKvVrbo4riR0jnaeMFWS6q7REIx9yruA/f/43vM4ApNg6ErcH
n7y+28CwOAMn6AAaBHgpXaiFQnf1+8z7hGGCpelr/VqpJioQGxWlTBHMHCgOEfzf
OloevCtcYgwyP8DutQgyXUP3jhzNWYwv7QGj/U7P+wbP+m+TfH3ETPJdxrkiyjpd
qwbfTRr3YSIq++OsEqZcRrGuxR3a2TQD4rjP1IJ9Q4W6+VYqRQoMgSgGmolatZj3
MQmcTG1IeVwnj/OfWHftUw0ei1A4GJgn3l/k4oUn2nEgvCu0qRA9qA/NkCI647Va
AGrr9bSgDYJQKZs4nNxDmWSn2QQa8Tp7ALkiIyCfWFlr8bBmC4C6e+hYATUR3LQO
HLvlY8f1wW1hIpbfMpIulwvrxfatLkT6H2h9+1n5XKmPesjVahdkXnNkBwEKCK5l
lPn8tEki3FHwLTP65wR322GLYfUoI2Pwqm8ww/5jr05g68Hh4nNQYQRtSxqdQixi
GcDngKMHyw/uCf2kIKSVgCnssAwFMfXtSGJctfMIVrufx08d4ON3R5jlAkh+FtY3
Hoo37EEIJuQtq1o5Cty5idmFTHL974XxXGrSHAk84e3vtWdXOnMCTTbN0D+QPXWF
d2i2cDVVitmXWY4NfIwJWqcHrXgPuXezAvd7o+gt/pp0mJAS0tw=
=rGx3
-----END PGP SIGNATURE-----

--xexMVKTdXPhpRiVT--