From owner-dev-commits-ports-main@freebsd.org Mon Sep 27 18:22:58 2021 Return-Path: Delivered-To: dev-commits-ports-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2241366D918; Mon, 27 Sep 2021 18:22:58 +0000 (UTC) (envelope-from kozlov@ravenloft.kiev.ua) Received: from ravenloft.kiev.ua (ravenloft.kiev.ua [94.244.131.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4HJ9wx6Y2Nz4WWp; Mon, 27 Sep 2021 18:22:57 +0000 (UTC) (envelope-from kozlov@ravenloft.kiev.ua) Date: Mon, 27 Sep 2021 20:22:55 +0200 From: Alex Kozlov To: Bernhard =?iso-8859-1?Q?Fr=F6hlich?= Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: 8e36aa89c535 - main - archivers/ha: Add CPE information Message-ID: <20210927182255.GA37696@ravenloft.kiev.ua> References: <202109201433.18KEXHRJ053338@gitrepo.freebsd.org> <20210927091710.GA21625@ravenloft.kiev.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Rspamd-Queue-Id: 4HJ9wx6Y2Nz4WWp X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: dev-commits-ports-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the main branch of the FreeBSD ports repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Sep 2021 18:22:58 -0000 On Mon, Sep 27, 2021 at 01:26:14PM +0200, Bernhard Fröhlich wrote: > On Mon, Sep 27, 2021 at 11:17 AM Alex Kozlov wrote: > > > > On Mon, Sep 20, 2021 at 02:33:17PM +0000, Bernhard Froehlich wrote: > > > The branch main has been updated by decke: > > > > > > URL: https://cgit.FreeBSD.org/ports/commit/?id=8e36aa89c5357316ed5bf1cc3d877624b51e21a6 > > > > > > commit 8e36aa89c5357316ed5bf1cc3d877624b51e21a6 > > > Author: Bernhard Froehlich > > > AuthorDate: 2021-09-20 14:18:16 +0000 > > > Commit: Bernhard Froehlich > > > CommitDate: 2021-09-20 14:18:16 +0000 > > > > > > archivers/ha: Add CPE information > > > > > > Approved by: portmgr (blanket) > > > --- > > > archivers/ha/Makefile | 3 ++- > > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > > > diff --git a/archivers/ha/Makefile b/archivers/ha/Makefile > > > index 3e69951b4d82..15f05c41b881 100644 > > > --- a/archivers/ha/Makefile > > > +++ b/archivers/ha/Makefile > > > @@ -16,7 +16,8 @@ NO_WRKSUBDIR= yes > > > PLIST_FILES= bin/ha > > > MAKEFILE= makefile.nix > > > ALL_TARGET= ha > > > -USES= gmake tar:tgz > > > +USES= cpe gmake tar:tgz > > > +CPE_VENDOR= linux-ha > > Are you sure that linux-ha (High-Availability Linux) cpe.vendor is applicable > > to archivers/ha (Hirvola's archiver)? > > Thanks for having a look! Being curious is definitely good because I > only spend a few minutes > per port to decide if that is a match or not. > > I remember that this looked pretty strange to me as well but here is > what the data says. > Lookup in the CPE Dictionary for "cpe:2.3:a:linux-ha:ha" gives me: > > https://nvd.nist.gov/products/cpe/detail/917416?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Alinux-ha%3Aha&status=FINAL > > That points me to: > > http://www.linux-ha.org/wiki/Main_Page => dead, wayback machine > https://web.archive.org/web/20210214054305/http://www.linux-ha.org/wiki/Main_Page > => > "The Linux-HA project maintains a set of building blocks for high > availability cluster systems" > so definitely not the archiver > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774954 => CVE-2015-1198 > https://www.openwall.com/lists/oss-security/2015/01/18/8 => points to > debian bug above > https://nvd.nist.gov/vuln/detail/CVE-2015-1198 > > The Debian page definitely uses the name "Harri Hirvola" which seems > to be the author of > that archiver. The CVE talks about a directory traversal vulnerability > in an archiver so this > sounds like what I expected. > > After all this looks like the CVE points to an incorrect CPE entry. I > will contact MITRE to > dispute that CPE entry and in the portstree I will revert the commit. I've also seen that weird debian entry, that's why I asked. > Please also have a look at CVE-2015-1198 and take some actions because > our port is > very likely also vulnerable. There was incomplete attempt to fix this/similar vulnerability, but the path part of attack still worked. So I cooked up some quick fix by analogy with resemblant vulnerability in archivers/unarj. Reviews are welcome. -- Alex