Date: Mon, 27 Sep 2021 20:22:55 +0200 From: Alex Kozlov <ak@FreeBSD.org> To: Bernhard =?iso-8859-1?Q?Fr=F6hlich?= <decke@freebsd.org> Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: 8e36aa89c535 - main - archivers/ha: Add CPE information Message-ID: <20210927182255.GA37696@ravenloft.kiev.ua> In-Reply-To: <CAE-m3X35RCcFrK80voiAcr=hE9Jam8o%2B7UkFGhM6dmE38rhKeA@mail.gmail.com> References: <202109201433.18KEXHRJ053338@gitrepo.freebsd.org> <20210927091710.GA21625@ravenloft.kiev.ua> <CAE-m3X35RCcFrK80voiAcr=hE9Jam8o%2B7UkFGhM6dmE38rhKeA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 27, 2021 at 01:26:14PM +0200, Bernhard Fröhlich wrote: > On Mon, Sep 27, 2021 at 11:17 AM Alex Kozlov <ak@freebsd.org> wrote: > > > > On Mon, Sep 20, 2021 at 02:33:17PM +0000, Bernhard Froehlich wrote: > > > The branch main has been updated by decke: > > > > > > URL: https://cgit.FreeBSD.org/ports/commit/?id=8e36aa89c5357316ed5bf1cc3d877624b51e21a6 > > > > > > commit 8e36aa89c5357316ed5bf1cc3d877624b51e21a6 > > > Author: Bernhard Froehlich <decke@FreeBSD.org> > > > AuthorDate: 2021-09-20 14:18:16 +0000 > > > Commit: Bernhard Froehlich <decke@FreeBSD.org> > > > CommitDate: 2021-09-20 14:18:16 +0000 > > > > > > archivers/ha: Add CPE information > > > > > > Approved by: portmgr (blanket) > > > --- > > > archivers/ha/Makefile | 3 ++- > > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > > > diff --git a/archivers/ha/Makefile b/archivers/ha/Makefile > > > index 3e69951b4d82..15f05c41b881 100644 > > > --- a/archivers/ha/Makefile > > > +++ b/archivers/ha/Makefile > > > @@ -16,7 +16,8 @@ NO_WRKSUBDIR= yes > > > PLIST_FILES= bin/ha > > > MAKEFILE= makefile.nix > > > ALL_TARGET= ha > > > -USES= gmake tar:tgz > > > +USES= cpe gmake tar:tgz > > > +CPE_VENDOR= linux-ha > > Are you sure that linux-ha (High-Availability Linux) cpe.vendor is applicable > > to archivers/ha (Hirvola's archiver)? > > Thanks for having a look! Being curious is definitely good because I > only spend a few minutes > per port to decide if that is a match or not. > > I remember that this looked pretty strange to me as well but here is > what the data says. > Lookup in the CPE Dictionary for "cpe:2.3:a:linux-ha:ha" gives me: > > https://nvd.nist.gov/products/cpe/detail/917416?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Alinux-ha%3Aha&status=FINAL > > That points me to: > > http://www.linux-ha.org/wiki/Main_Page => dead, wayback machine > https://web.archive.org/web/20210214054305/http://www.linux-ha.org/wiki/Main_Page > => > "The Linux-HA project maintains a set of building blocks for high > availability cluster systems" > so definitely not the archiver > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774954 => CVE-2015-1198 > https://www.openwall.com/lists/oss-security/2015/01/18/8 => points to > debian bug above > https://nvd.nist.gov/vuln/detail/CVE-2015-1198 > > The Debian page definitely uses the name "Harri Hirvola" which seems > to be the author of > that archiver. The CVE talks about a directory traversal vulnerability > in an archiver so this > sounds like what I expected. > > After all this looks like the CVE points to an incorrect CPE entry. I > will contact MITRE to > dispute that CPE entry and in the portstree I will revert the commit. I've also seen that weird debian entry, that's why I asked. > Please also have a look at CVE-2015-1198 and take some actions because > our port is > very likely also vulnerable. There was incomplete attempt to fix this/similar vulnerability, but the path part of attack still worked. So I cooked up some quick fix by analogy with resemblant vulnerability in archivers/unarj. Reviews are welcome. -- Alex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210927182255.GA37696>