bug#36571: icecat's CPE data is wrong

Thu, 11 Jul 2019 13:35:25 -0700 

Hello,

Efraim Flashner <efr...@flashner.co.il> skribis:

> currently we have:
> (cpe-name . "firefox_esr")
> (cpe-version . ,(first (string-split version #\-)
>
> and it should be:
> (cpe-name . "firefox")
> (cpe-version . ,(first (string-split version #\.)
>
> however, this returns results for firefox@60, which I'm pretty sure
> doesn't take into account that we're not running 60.0.0 but 60.8.0. With
> the change 'guix lint -c cve iceat' returns:
> icecat@60.8.0-guix1: probably vulnerable to CVE-2019-9788, CVE-2019-9789, […]

Indeed, something seems to be wrong.

--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> ,use(guix cve)
scheme@(guile-user)> (vulnerabilities->lookup-proc (current-vulnerabilities))
fetching CVE database for 2019...
fetching CVE database for 2018...
scheme@(guile-user)> $2
$3 = #<procedure 1f64baa0 at guix/cve.scm:268:2 (package #:optional version)>
scheme@(guile-user)> (length ($2 "firefox" "60"))
$4 = 107
scheme@(guile-user)> (length ($2 "firefox" "60.8"))
$5 = 0
scheme@(guile-user)> (length ($2 "firefox" "60.5"))
$6 = 0
--8<---------------cut here---------------end--------------->8---

Actually, the procedure returned by ‘vulnerabilities->lookup-proc’
performs exact matches on version string.  So “60” is _not_ equivalent
to “60 or any 60.x version”.

Here are the versions we see for one of these CVEs:

--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> ,use(srfi srfi-1)
scheme@(guile-user)> (find (lambda (vuln)
                             (string=? (vulnerability-id vuln)
                                       "CVE-2019-9788"))
                           (current-vulnerabilities))
$9 = #<<vulnerability> id: "CVE-2019-9788" packages: (("thunderbird" …) 
("firefox_esr" "60.5.0" "60.4.0" "60.3.0" "60.2.2" "60.2.0" "60.1.0" "60.0" 
"53.0.0" "52.9.0" …) ("firefox" "9.0.1" "9.0" "8.0.1" "8.0" "7.0.1" "7.0" 
"65.0" "64.0.2" "64.0" "63.0.3" "63.0.1" "63.0" "62.0.3" "62.0.2" "62.0" 
"61.0.2" "61.0.1" "61.0" "60.6.1" "60.5.0" "60.4.0" "60.3.0" "60.2.2" "60.2.1" 
"60.2.0" "60.1.0" …)>
--8<---------------cut here---------------end--------------->8---

So IceCat probably corresponds to “firefox_esr”, but we got the CPE
version string wrong: we should just strip the “-gnu*” suffix, nothing
more.

WDYT?

Thanks,
Ludo’.

Reply via email to