From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: Auditing CPE names
Date: Mon, 13 Feb 2017 15:26:32 +0100
Message-ID: <877f4udv53.fsf@gnu.org>
References: <20170211195346.GA10400@jasmine> <20170212153811.GA18631@jasmine>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59501)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1cdHaQ-0006UY-F0
	for guix-devel@gnu.org; Mon, 13 Feb 2017 09:26:39 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1cdHaN-0004SB-Re
	for guix-devel@gnu.org; Mon, 13 Feb 2017 09:26:38 -0500
In-Reply-To: <20170212153811.GA18631@jasmine> (Leo Famulari's message of "Sun,
	12 Feb 2017 10:38:11 -0500")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org

Leo Famulari <leo@famulari.name> skribis:

> On Sat, Feb 11, 2017 at 02:53:46PM -0500, Leo Famulari wrote:
>> It's important to name the package in accordance with the CPE or set
>> the cpe-name property, or else `guix lint -c cve` won't work for that
>> package.
>
> In commit 84b60a7cdfc (gnu: lcms: Fix an out-of-bounds read.) I tried to
> set the cpe-name but couldn't get it to work, and then I forgot to
> remove it from the commit message before pushing.
>
> Anyways, I still can't get it to work after trying again today.
>
> This package should be reported as vulnerable to CVE-2016-10165. The CVE
> database for 2016 includes this line in the entry for that CVE:
>
> <cpe-lang:fact-ref name=3D"cpe:/a:littlecms:little_cms_color_engine"/>
>
> But when setting the cpe-name to little_cms_color_engine, the linter
> still doesn't report the vulnerability.

The vulnerability isn=E2=80=99t in ~/.cache/guix/cve/* AFAICS.

I grabbed
https://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2016.xml.gz and the
reason is that the CPE string above doesn=E2=80=99t specify a version strin=
g,
whereas the regexp in (guix cve) expects a version string, like

  cpe:/a:littlecms:little_cms_color_engine:123

So, a bug.

I=E2=80=99ll see what I can do before going on vacations.

There may well be other bugs of this style, so whenever =E2=80=98guix lint=
=E2=80=99
doesn=E2=80=99t report a CVE, it=E2=80=99s a good idea to check whether the=
 bug is just
not in the XML file yet, or whether there=E2=80=99s a genuine bug.

Thanks!

Ludo=E2=80=99.