[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#36571: icecat's CPE data is wrong
From: |
Efraim Flashner |
Subject: |
bug#36571: icecat's CPE data is wrong |
Date: |
Sun, 14 Jul 2019 15:33:35 +0300 |
User-agent: |
Mutt/1.12.1 (2019-06-15) |
On Thu, Jul 11, 2019 at 10:34:00PM +0200, Ludovic Courtès wrote:
> Hello,
>
> Efraim Flashner <address@hidden> skribis:
>
> > currently we have:
> > (cpe-name . "firefox_esr")
> > (cpe-version . ,(first (string-split version #\-)
> >
> > and it should be:
> > (cpe-name . "firefox")
> > (cpe-version . ,(first (string-split version #\.)
> >
> > however, this returns results for firefox@60, which I'm pretty sure
> > doesn't take into account that we're not running 60.0.0 but 60.8.0. With
> > the change 'guix lint -c cve iceat' returns:
> > icecat@60.8.0-guix1: probably vulnerable to CVE-2019-9788, CVE-2019-9789,
> > […]
>
> Indeed, something seems to be wrong.
>
> --8<---------------cut here---------------start------------->8---
> scheme@(guile-user)> ,use(guix cve)
> scheme@(guile-user)> (vulnerabilities->lookup-proc (current-vulnerabilities))
> fetching CVE database for 2019...
> fetching CVE database for 2018...
> scheme@(guile-user)> $2
> $3 = #<procedure 1f64baa0 at guix/cve.scm:268:2 (package #:optional version)>
> scheme@(guile-user)> (length ($2 "firefox" "60"))
> $4 = 107
> scheme@(guile-user)> (length ($2 "firefox" "60.8"))
> $5 = 0
> scheme@(guile-user)> (length ($2 "firefox" "60.5"))
> $6 = 0
> --8<---------------cut here---------------end--------------->8---
>
> Actually, the procedure returned by ‘vulnerabilities->lookup-proc’
> performs exact matches on version string. So “60” is _not_ equivalent
> to “60 or any 60.x version”.
>
> Here are the versions we see for one of these CVEs:
>
> --8<---------------cut here---------------start------------->8---
> scheme@(guile-user)> ,use(srfi srfi-1)
> scheme@(guile-user)> (find (lambda (vuln)
> (string=? (vulnerability-id vuln)
> "CVE-2019-9788"))
> (current-vulnerabilities))
> $9 = #<<vulnerability> id: "CVE-2019-9788" packages: (("thunderbird" …)
> ("firefox_esr" "60.5.0" "60.4.0" "60.3.0" "60.2.2" "60.2.0" "60.1.0" "60.0"
> "53.0.0" "52.9.0" …) ("firefox" "9.0.1" "9.0" "8.0.1" "8.0" "7.0.1" "7.0"
> "65.0" "64.0.2" "64.0" "63.0.3" "63.0.1" "63.0" "62.0.3" "62.0.2" "62.0"
> "61.0.2" "61.0.1" "61.0" "60.6.1" "60.5.0" "60.4.0" "60.3.0" "60.2.2"
> "60.2.1" "60.2.0" "60.1.0" …)>
> --8<---------------cut here---------------end--------------->8---
>
> So IceCat probably corresponds to “firefox_esr”, but we got the CPE
> version string wrong: we should just strip the “-gnu*” suffix, nothing
> more.
>
> WDYT?
>
I was about to go and make the change but it seems that this is already
what we have. 'firefox_esr' and '(first (string-split version #\-))'. So
it looks like the vulnerability list just hasn't caught up with the
version we have now.
Closing as 'everything works as expected'
--
Efraim Flashner <address@hidden> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
signature.asc
Description: PGP signature