[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#36571: icecat's CPE data is wrong
From: |
Ludovic Courtès |
Subject: |
bug#36571: icecat's CPE data is wrong |
Date: |
Thu, 11 Jul 2019 22:34:00 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) |
Hello,
Efraim Flashner <address@hidden> skribis:
> currently we have:
> (cpe-name . "firefox_esr")
> (cpe-version . ,(first (string-split version #\-)
>
> and it should be:
> (cpe-name . "firefox")
> (cpe-version . ,(first (string-split version #\.)
>
> however, this returns results for firefox@60, which I'm pretty sure
> doesn't take into account that we're not running 60.0.0 but 60.8.0. With
> the change 'guix lint -c cve iceat' returns:
> icecat@60.8.0-guix1: probably vulnerable to CVE-2019-9788, CVE-2019-9789, […]
Indeed, something seems to be wrong.
--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> ,use(guix cve)
scheme@(guile-user)> (vulnerabilities->lookup-proc (current-vulnerabilities))
fetching CVE database for 2019...
fetching CVE database for 2018...
scheme@(guile-user)> $2
$3 = #<procedure 1f64baa0 at guix/cve.scm:268:2 (package #:optional version)>
scheme@(guile-user)> (length ($2 "firefox" "60"))
$4 = 107
scheme@(guile-user)> (length ($2 "firefox" "60.8"))
$5 = 0
scheme@(guile-user)> (length ($2 "firefox" "60.5"))
$6 = 0
--8<---------------cut here---------------end--------------->8---
Actually, the procedure returned by ‘vulnerabilities->lookup-proc’
performs exact matches on version string. So “60” is _not_ equivalent
to “60 or any 60.x version”.
Here are the versions we see for one of these CVEs:
--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> ,use(srfi srfi-1)
scheme@(guile-user)> (find (lambda (vuln)
(string=? (vulnerability-id vuln)
"CVE-2019-9788"))
(current-vulnerabilities))
$9 = #<<vulnerability> id: "CVE-2019-9788" packages: (("thunderbird" …)
("firefox_esr" "60.5.0" "60.4.0" "60.3.0" "60.2.2" "60.2.0" "60.1.0" "60.0"
"53.0.0" "52.9.0" …) ("firefox" "9.0.1" "9.0" "8.0.1" "8.0" "7.0.1" "7.0"
"65.0" "64.0.2" "64.0" "63.0.3" "63.0.1" "63.0" "62.0.3" "62.0.2" "62.0"
"61.0.2" "61.0.1" "61.0" "60.6.1" "60.5.0" "60.4.0" "60.3.0" "60.2.2" "60.2.1"
"60.2.0" "60.1.0" …)>
--8<---------------cut here---------------end--------------->8---
So IceCat probably corresponds to “firefox_esr”, but we got the CPE
version string wrong: we should just strip the “-gnu*” suffix, nothing
more.
WDYT?
Thanks,
Ludo’.