From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Subject: bug#36571: icecat's CPE data is wrong Date: Thu, 11 Jul 2019 22:34:00 +0200 Message-ID: <874l3sqpjb.fsf@gnu.org> References: <20190710070540.GN1085@macbook41> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:35200) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hlfmS-0000Z7-9A for bug-guix@gnu.org; Thu, 11 Jul 2019 16:35:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hlfmR-0003I5-65 for bug-guix@gnu.org; Thu, 11 Jul 2019 16:35:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58201) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hlfmQ-0003Ho-Py for bug-guix@gnu.org; Thu, 11 Jul 2019 16:35:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hlfmQ-0007Cy-KF for bug-guix@gnu.org; Thu, 11 Jul 2019 16:35:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <20190710070540.GN1085@macbook41> (Efraim Flashner's message of "Wed, 10 Jul 2019 10:05:40 +0300") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Efraim Flashner Cc: 36571@debbugs.gnu.org Hello, Efraim Flashner skribis: > currently we have: > (cpe-name . "firefox_esr") > (cpe-version . ,(first (string-split version #\-) > > and it should be: > (cpe-name . "firefox") > (cpe-version . ,(first (string-split version #\.) > > however, this returns results for firefox@60, which I'm pretty sure > doesn't take into account that we're not running 60.0.0 but 60.8.0. With > the change 'guix lint -c cve iceat' returns: > icecat@60.8.0-guix1: probably vulnerable to CVE-2019-9788, CVE-2019-9789,= [=E2=80=A6] Indeed, something seems to be wrong. --8<---------------cut here---------------start------------->8--- scheme@(guile-user)> ,use(guix cve) scheme@(guile-user)> (vulnerabilities->lookup-proc (current-vulnerabilities= )) fetching CVE database for 2019... fetching CVE database for 2018... scheme@(guile-user)> $2 $3 =3D # scheme@(guile-user)> (length ($2 "firefox" "60")) $4 =3D 107 scheme@(guile-user)> (length ($2 "firefox" "60.8")) $5 =3D 0 scheme@(guile-user)> (length ($2 "firefox" "60.5")) $6 =3D 0 --8<---------------cut here---------------end--------------->8--- Actually, the procedure returned by =E2=80=98vulnerabilities->lookup-proc= =E2=80=99 performs exact matches on version string. So =E2=80=9C60=E2=80=9D is _not_= equivalent to =E2=80=9C60 or any 60.x version=E2=80=9D. Here are the versions we see for one of these CVEs: --8<---------------cut here---------------start------------->8--- scheme@(guile-user)> ,use(srfi srfi-1) scheme@(guile-user)> (find (lambda (vuln) (string=3D? (vulnerability-id vuln) "CVE-2019-9788")) (current-vulnerabilities)) $9 =3D #< id: "CVE-2019-9788" packages: (("thunderbird" =E2= =80=A6) ("firefox_esr" "60.5.0" "60.4.0" "60.3.0" "60.2.2" "60.2.0" "60.1.0= " "60.0" "53.0.0" "52.9.0" =E2=80=A6) ("firefox" "9.0.1" "9.0" "8.0.1" "8.0= " "7.0.1" "7.0" "65.0" "64.0.2" "64.0" "63.0.3" "63.0.1" "63.0" "62.0.3" "6= 2.0.2" "62.0" "61.0.2" "61.0.1" "61.0" "60.6.1" "60.5.0" "60.4.0" "60.3.0" = "60.2.2" "60.2.1" "60.2.0" "60.1.0" =E2=80=A6)> --8<---------------cut here---------------end--------------->8--- So IceCat probably corresponds to =E2=80=9Cfirefox_esr=E2=80=9D, but we got= the CPE version string wrong: we should just strip the =E2=80=9C-gnu*=E2=80=9D suff= ix, nothing more. WDYT? Thanks, Ludo=E2=80=99.