From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Auditing CPE names Date: Mon, 13 Feb 2017 15:26:32 +0100 Message-ID: <877f4udv53.fsf@gnu.org> References: <20170211195346.GA10400@jasmine> <20170212153811.GA18631@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:59501) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdHaQ-0006UY-F0 for guix-devel@gnu.org; Mon, 13 Feb 2017 09:26:39 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cdHaN-0004SB-Re for guix-devel@gnu.org; Mon, 13 Feb 2017 09:26:38 -0500 In-Reply-To: <20170212153811.GA18631@jasmine> (Leo Famulari's message of "Sun, 12 Feb 2017 10:38:11 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari skribis: > On Sat, Feb 11, 2017 at 02:53:46PM -0500, Leo Famulari wrote: >> It's important to name the package in accordance with the CPE or set >> the cpe-name property, or else `guix lint -c cve` won't work for that >> package. > > In commit 84b60a7cdfc (gnu: lcms: Fix an out-of-bounds read.) I tried to > set the cpe-name but couldn't get it to work, and then I forgot to > remove it from the commit message before pushing. > > Anyways, I still can't get it to work after trying again today. > > This package should be reported as vulnerable to CVE-2016-10165. The CVE > database for 2016 includes this line in the entry for that CVE: > > > > But when setting the cpe-name to little_cms_color_engine, the linter > still doesn't report the vulnerability. The vulnerability isn=E2=80=99t in ~/.cache/guix/cve/* AFAICS. I grabbed https://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2016.xml.gz and the reason is that the CPE string above doesn=E2=80=99t specify a version strin= g, whereas the regexp in (guix cve) expects a version string, like cpe:/a:littlecms:little_cms_color_engine:123 So, a bug. I=E2=80=99ll see what I can do before going on vacations. There may well be other bugs of this style, so whenever =E2=80=98guix lint= =E2=80=99 doesn=E2=80=99t report a CVE, it=E2=80=99s a good idea to check whether the= bug is just not in the XML file yet, or whether there=E2=80=99s a genuine bug. Thanks! Ludo=E2=80=99.