From: ludo@gnu.org (Ludovic Courtès)
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org
Subject: Re: Auditing CPE names
Date: Mon, 13 Feb 2017 15:26:32 +0100 [thread overview]
Message-ID: <877f4udv53.fsf@gnu.org> (raw)
In-Reply-To: <20170212153811.GA18631@jasmine> (Leo Famulari's message of "Sun, 12 Feb 2017 10:38:11 -0500")
Leo Famulari <leo@famulari.name> skribis:
> On Sat, Feb 11, 2017 at 02:53:46PM -0500, Leo Famulari wrote:
>> It's important to name the package in accordance with the CPE or set
>> the cpe-name property, or else `guix lint -c cve` won't work for that
>> package.
>
> In commit 84b60a7cdfc (gnu: lcms: Fix an out-of-bounds read.) I tried to
> set the cpe-name but couldn't get it to work, and then I forgot to
> remove it from the commit message before pushing.
>
> Anyways, I still can't get it to work after trying again today.
>
> This package should be reported as vulnerable to CVE-2016-10165. The CVE
> database for 2016 includes this line in the entry for that CVE:
>
> <cpe-lang:fact-ref name="cpe:/a:littlecms:little_cms_color_engine"/>
>
> But when setting the cpe-name to little_cms_color_engine, the linter
> still doesn't report the vulnerability.
The vulnerability isn’t in ~/.cache/guix/cve/* AFAICS.
I grabbed
https://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2016.xml.gz and the
reason is that the CPE string above doesn’t specify a version string,
whereas the regexp in (guix cve) expects a version string, like
cpe:/a:littlecms:little_cms_color_engine:123
So, a bug.
I’ll see what I can do before going on vacations.
There may well be other bugs of this style, so whenever ‘guix lint’
doesn’t report a CVE, it’s a good idea to check whether the bug is just
not in the XML file yet, or whether there’s a genuine bug.
Thanks!
Ludo’.
prev parent reply other threads:[~2017-02-13 14:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-11 19:53 Auditing CPE names Leo Famulari
2017-02-12 15:13 ` Ludovic Courtès
2017-02-12 15:38 ` Leo Famulari
2017-02-13 14:26 ` Ludovic Courtès [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877f4udv53.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).