From: "Ludovic Courtès" <ludo@gnu.org>
To: Efraim Flashner <efraim@flashner.co.il>
Cc: 36571@debbugs.gnu.org
Subject: bug#36571: icecat's CPE data is wrong
Date: Thu, 11 Jul 2019 22:34:00 +0200 [thread overview]
Message-ID: <874l3sqpjb.fsf@gnu.org> (raw)
In-Reply-To: <20190710070540.GN1085@macbook41> (Efraim Flashner's message of "Wed, 10 Jul 2019 10:05:40 +0300")
Hello,
Efraim Flashner <efraim@flashner.co.il> skribis:
> currently we have:
> (cpe-name . "firefox_esr")
> (cpe-version . ,(first (string-split version #\-)
>
> and it should be:
> (cpe-name . "firefox")
> (cpe-version . ,(first (string-split version #\.)
>
> however, this returns results for firefox@60, which I'm pretty sure
> doesn't take into account that we're not running 60.0.0 but 60.8.0. With
> the change 'guix lint -c cve iceat' returns:
> icecat@60.8.0-guix1: probably vulnerable to CVE-2019-9788, CVE-2019-9789, […]
Indeed, something seems to be wrong.
--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> ,use(guix cve)
scheme@(guile-user)> (vulnerabilities->lookup-proc (current-vulnerabilities))
fetching CVE database for 2019...
fetching CVE database for 2018...
scheme@(guile-user)> $2
$3 = #<procedure 1f64baa0 at guix/cve.scm:268:2 (package #:optional version)>
scheme@(guile-user)> (length ($2 "firefox" "60"))
$4 = 107
scheme@(guile-user)> (length ($2 "firefox" "60.8"))
$5 = 0
scheme@(guile-user)> (length ($2 "firefox" "60.5"))
$6 = 0
--8<---------------cut here---------------end--------------->8---
Actually, the procedure returned by ‘vulnerabilities->lookup-proc’
performs exact matches on version string. So “60” is _not_ equivalent
to “60 or any 60.x version”.
Here are the versions we see for one of these CVEs:
--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> ,use(srfi srfi-1)
scheme@(guile-user)> (find (lambda (vuln)
(string=? (vulnerability-id vuln)
"CVE-2019-9788"))
(current-vulnerabilities))
$9 = #<<vulnerability> id: "CVE-2019-9788" packages: (("thunderbird" …) ("firefox_esr" "60.5.0" "60.4.0" "60.3.0" "60.2.2" "60.2.0" "60.1.0" "60.0" "53.0.0" "52.9.0" …) ("firefox" "9.0.1" "9.0" "8.0.1" "8.0" "7.0.1" "7.0" "65.0" "64.0.2" "64.0" "63.0.3" "63.0.1" "63.0" "62.0.3" "62.0.2" "62.0" "61.0.2" "61.0.1" "61.0" "60.6.1" "60.5.0" "60.4.0" "60.3.0" "60.2.2" "60.2.1" "60.2.0" "60.1.0" …)>
--8<---------------cut here---------------end--------------->8---
So IceCat probably corresponds to “firefox_esr”, but we got the CPE
version string wrong: we should just strip the “-gnu*” suffix, nothing
more.
WDYT?
Thanks,
Ludo’.
next prev parent reply other threads:[~2019-07-11 20:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-10 7:05 bug#36571: icecat's CPE data is wrong Efraim Flashner
2019-07-11 20:34 ` Ludovic Courtès [this message]
2019-07-14 12:33 ` Efraim Flashner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874l3sqpjb.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=36571@debbugs.gnu.org \
--cc=efraim@flashner.co.il \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).