From owner-freebsd-security@FreeBSD.ORG  Thu Mar 21 10:11:17 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 275405AA
 for <freebsd-security@freebsd.org>; Thu, 21 Mar 2013 10:11:17 +0000 (UTC)
 (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id E08639D2
 for <freebsd-security@freebsd.org>; Thu, 21 Mar 2013 10:11:16 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
 by smtp-int.des.no (Postfix) with ESMTP id A8C82C39A;
 Thu, 21 Mar 2013 10:04:19 +0000 (UTC)
Received: by ds4.des.no (Postfix, from userid 1001)
 id 57D87A312; Thu, 21 Mar 2013 11:04:19 +0100 (CET)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: "Simon L. B. Nielsen" <simon@qxnitro.org>
Subject: Re: CPE [was old perl vulnerabilitiy]
References: <CAC8HS2Gwjb5S6k2cnVLpoWzQEEDoGxXWWMqjCMdQM6d2uZBvqg@mail.gmail.com>
Date: Thu, 21 Mar 2013 11:04:18 +0100
In-Reply-To: <CAC8HS2Gwjb5S6k2cnVLpoWzQEEDoGxXWWMqjCMdQM6d2uZBvqg@mail.gmail.com>
 (Simon L. B. Nielsen's message of "Wed, 20 Mar 2013 17:22:50 +0000")
Message-ID: <867gl19ihp.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2013 10:11:17 -0000

"Simon L. B. Nielsen" <simon@qxnitro.org> writes:
> Dag-Erling Sm=C3=B8rgrav <des@des.no> wrote:
> > This wouldn't keep happening if we used CPEs whenever possible...
> Where would you use CPE - in all packages ? I assume you are talking
> about http://cpe.mitre.org/about/ ?

Yes.

> Part of the problem for VuXML is the trilion names for packages some
> ports have, making it more painful.

Exactly.  So what I propose is:

 - Add a port Makefile variable for the CPE (or multiple variables for
   the different components of the CPE, and code that "assembles" it).
   The ports infrastructure ensures that the CPE is included in the port
   / package metadata.

 - If a vulnerability is discovered in a port that has a CPE, the CPE is
   included in the vuxml entry.

 - portaudit, "pkg audit" etc are modified so that if an installed
   package has a CPE, the CPE is used instead of (or in addition to?)
   the name when matching vuxml entries.

It is very important that the CPE logic be conditional on the presence
of a CPE in the *package* and not in the vuxml entry, not just to ensure
the transition from the pre-CPE regime, but also because most software
doesn't even have a CPE until the first time it is the subject of a CVE.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no