From mboxrd@z Thu Jan 1 00:00:00 1970 From: Efraim Flashner Subject: bug#36571: icecat's CPE data is wrong Date: Sun, 14 Jul 2019 15:33:35 +0300 Message-ID: <20190714123335.GB22158@macbook41> References: <20190710070540.GN1085@macbook41> <874l3sqpjb.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="kXdP64Ggrk/fb43R" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:49630) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hmdhc-0007jv-Tw for bug-guix@gnu.org; Sun, 14 Jul 2019 08:34:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hmdhb-0006yI-1P for bug-guix@gnu.org; Sun, 14 Jul 2019 08:34:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:35137) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hmdha-0006xo-DB for bug-guix@gnu.org; Sun, 14 Jul 2019 08:34:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hmdha-0001QC-9U for bug-guix@gnu.org; Sun, 14 Jul 2019 08:34:02 -0400 Sender: "Debbugs-submit" Resent-To: bug-guix@gnu.org Resent-Message-ID: Content-Disposition: inline In-Reply-To: <874l3sqpjb.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 36571-done@debbugs.gnu.org --kXdP64Ggrk/fb43R Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 11, 2019 at 10:34:00PM +0200, Ludovic Court=C3=A8s wrote: > Hello, >=20 > Efraim Flashner skribis: >=20 > > currently we have: > > (cpe-name . "firefox_esr") > > (cpe-version . ,(first (string-split version #\-) > > > > and it should be: > > (cpe-name . "firefox") > > (cpe-version . ,(first (string-split version #\.) > > > > however, this returns results for firefox@60, which I'm pretty sure > > doesn't take into account that we're not running 60.0.0 but 60.8.0. With > > the change 'guix lint -c cve iceat' returns: > > icecat@60.8.0-guix1: probably vulnerable to CVE-2019-9788, CVE-2019-978= 9, [=E2=80=A6] >=20 > Indeed, something seems to be wrong. >=20 > --8<---------------cut here---------------start------------->8--- > scheme@(guile-user)> ,use(guix cve) > scheme@(guile-user)> (vulnerabilities->lookup-proc (current-vulnerabiliti= es)) > fetching CVE database for 2019... > fetching CVE database for 2018... > scheme@(guile-user)> $2 > $3 =3D # > scheme@(guile-user)> (length ($2 "firefox" "60")) > $4 =3D 107 > scheme@(guile-user)> (length ($2 "firefox" "60.8")) > $5 =3D 0 > scheme@(guile-user)> (length ($2 "firefox" "60.5")) > $6 =3D 0 > --8<---------------cut here---------------end--------------->8--- >=20 > Actually, the procedure returned by =E2=80=98vulnerabilities->lookup-proc= =E2=80=99 > performs exact matches on version string. So =E2=80=9C60=E2=80=9D is _no= t_ equivalent > to =E2=80=9C60 or any 60.x version=E2=80=9D. >=20 > Here are the versions we see for one of these CVEs: >=20 > --8<---------------cut here---------------start------------->8--- > scheme@(guile-user)> ,use(srfi srfi-1) > scheme@(guile-user)> (find (lambda (vuln) > (string=3D? (vulnerability-id vuln) > "CVE-2019-9788")) > (current-vulnerabilities)) > $9 =3D #< id: "CVE-2019-9788" packages: (("thunderbird" = =E2=80=A6) ("firefox_esr" "60.5.0" "60.4.0" "60.3.0" "60.2.2" "60.2.0" "60.= 1.0" "60.0" "53.0.0" "52.9.0" =E2=80=A6) ("firefox" "9.0.1" "9.0" "8.0.1" "= 8.0" "7.0.1" "7.0" "65.0" "64.0.2" "64.0" "63.0.3" "63.0.1" "63.0" "62.0.3"= "62.0.2" "62.0" "61.0.2" "61.0.1" "61.0" "60.6.1" "60.5.0" "60.4.0" "60.3.= 0" "60.2.2" "60.2.1" "60.2.0" "60.1.0" =E2=80=A6)> > --8<---------------cut here---------------end--------------->8--- >=20 > So IceCat probably corresponds to =E2=80=9Cfirefox_esr=E2=80=9D, but we g= ot the CPE > version string wrong: we should just strip the =E2=80=9C-gnu*=E2=80=9D su= ffix, nothing > more. >=20 > WDYT? >=20 I was about to go and make the change but it seems that this is already what we have. 'firefox_esr' and '(first (string-split version #\-))'. So it looks like the vulnerability list just hasn't caught up with the version we have now. Closing as 'everything works as expected' --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --kXdP64Ggrk/fb43R Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAl0rIRsACgkQQarn3Mo9 g1H+1Q/+KrOE1LdkQfh7acCoQChM4H7Di6lLTIQ1cKpIstv/UJKwbb6AUeCu5ZjU 2TGqMv38wk32Ql6mLGEvNy3ofDC/lKREn/jKclRa8Yy7TEgGKU32y3MwQPj5J78P NDNPJBbJLqEXt9l0e1uGNCh+cmykNSNpjcZpYWbNJDKLHOZFr9KQ0xW2MWcqbfcM H4hMGerj1NBhAwhs+krmWAG09cKeK83n10enFtF8hCVWSY/VkjXOUYrHIhGrAGyr Sa0p6FwUehxHpvx7tmSr6g2sCMJcNsP2o1dbd0RGNN1+cBHqW7tdBuhzJ1FZpUQg 1eZt5kDTKcTS1iRBQoNdPX3kYCR8fGsZGQM0LrniXAHS63/HiV6ox2Z2xoj8yWTH WtrgRWwVyHaPw9RQ3oHIPdrOAcvH/Eqj2I7WGJdCr9ZrVx2yYMuCJsgdI8toH3nE zd+m2QDj5KAN+stUXI/WMNs1t/asYrUO+phsFXVuT5/7KSm7c8J7uaJfWa78hvLi mNbBTEv/UYcL3kcIuevwlYnNRfpJ1X8hky7mQkFkm0WFEZY4FPM+/aEaPYfoJI2V 6I2eMBbKosT9Mx9rnAKm+ncovsnCHoEwhSvxPhKW1OeOm4eKs5W8iLbvZCeM2L6Q X5BDxx/W/jyDhp9OA5fWdobOMQ6j6iHlf+wSLcx8aHJDaR1FBVo= =wGUa -----END PGP SIGNATURE----- --kXdP64Ggrk/fb43R--