[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
17/20: cve: Gracefully handle bogus CVE entries.
From: |
guix-commits |
Subject: |
17/20: cve: Gracefully handle bogus CVE entries. |
Date: |
Sun, 25 Apr 2021 08:37:56 -0400 (EDT) |
civodul pushed a commit to branch version-1.3.0
in repository guix.
commit ff74e2a1bc7f3bf723760dbefc926fab261450b3
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Wed Apr 21 23:49:59 2021 +0200
cve: Gracefully handle bogus CVE entries.
Fixes <https://bugs.gnu.org/47941>.
Reported by Jack Hill <jackhill@jackhill.us>.
* guix/cve.scm (reference-data->cve-references): Gracefully handle lack
of "reference_data".
(cpe-match->cve-configuration): Gracefully handle lack of "cpe23Uri".
---
guix/cve.scm | 31 ++++++++++++++++++-------------
1 file changed, 18 insertions(+), 13 deletions(-)
diff --git a/guix/cve.scm b/guix/cve.scm
index b3a8b13..9e1cf5b 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès
<ludo@gnu.org>
+;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès
<ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -99,7 +99,9 @@
(define (reference-data->cve-references alist)
(map json->cve-reference
- (vector->list (assoc-ref alist "reference_data"))))
+ ;; Normally "reference_data" is always present but rejected CVEs such
+ ;; as CVE-2020-10020 can lack it.
+ (vector->list (or (assoc-ref alist "reference_data") '#()))))
(define %cpe-package-rx
;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
@@ -137,17 +139,20 @@ package."
(starte (assoc-ref alist "versionStartExcluding"))
(endi (assoc-ref alist "versionEndIncluding"))
(ende (assoc-ref alist "versionEndExcluding")))
- (let-values (((package version) (cpe->package-name cpe)))
- (and package
- `(,package
- ,(cond ((and (or starti starte) (or endi ende))
- `(and ,(if starti `(>= ,starti) `(> ,starte))
- ,(if endi `(<= ,endi) `(< ,ende))))
- (starti `(>= ,starti))
- (starte `(> ,starte))
- (endi `(<= ,endi))
- (ende `(< ,ende))
- (else version)))))))
+ ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
+ ;; has a configuration that lacks it.
+ (and cpe
+ (let-values (((package version) (cpe->package-name cpe)))
+ (and package
+ `(,package
+ ,(cond ((and (or starti starte) (or endi ende))
+ `(and ,(if starti `(>= ,starti) `(> ,starte))
+ ,(if endi `(<= ,endi) `(< ,ende))))
+ (starti `(>= ,starti))
+ (starte `(> ,starte))
+ (endi `(<= ,endi))
+ (ende `(< ,ende))
+ (else version))))))))
(define (configuration-data->cve-configurations alist)
"Given ALIST, a JSON dictionary for the baroque \"configurations\"
- 03/20: build: Add doc-update-po as a prerequisite to the dist target., (continued)
- 03/20: build: Add doc-update-po as a prerequisite to the dist target., guix-commits, 2021/04/25
- 07/20: .gitignore: Ignore release artifacts., guix-commits, 2021/04/25
- 04/20: .gitignore: Ignore generated .pot files., guix-commits, 2021/04/25
- 08/20: build: Add a check for Guile-Lib., guix-commits, 2021/04/25
- 16/20: po: Remove file that no longer exists., guix-commits, 2021/04/25
- 05/20: gnu: guile-git: Update to 0.5.1., guix-commits, 2021/04/25
- 09/20: import: go: Do not set '%strict-tokenizer?' from the top level., guix-commits, 2021/04/25
- 20/20: http-client: Remove exception mishandling in 'http-multiple-get'., guix-commits, 2021/04/25
- 10/20: import: go: Autoload (htmlprag)., guix-commits, 2021/04/25
- 11/20: file-systems: read-partition-{uuid, label} don't swallow ENOENT & co., guix-commits, 2021/04/25
- 17/20: cve: Gracefully handle bogus CVE entries.,
guix-commits <=
- 19/20: http-client, substitute: Gracefully handle GnuTLS EAGAIN/EINTR., guix-commits, 2021/04/25
- 18/20: doc: Fix cross-reference URL to translated manual., guix-commits, 2021/04/25
- 12/20: gnu: icecat: Update to 78.10.0-guix0-preview1 [security fixes]., guix-commits, 2021/04/25
- 14/20: guix-install.sh: Allow overriding the Guix binary source., guix-commits, 2021/04/25
- 13/20: gnu: wireshark: Update to 3.4.5 [security fixes]., guix-commits, 2021/04/25
- 15/20: import: Remove Nix importer., guix-commits, 2021/04/25