Date: Mon, 27 Sep 2021 13:26:14 +0200 From: =?UTF-8?Q?Bernhard_Fr=C3=B6hlich?= <decke@freebsd.org> To: Alex Kozlov <ak@freebsd.org> Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: 8e36aa89c535 - main - archivers/ha: Add CPE information Message-ID: <CAE-m3X35RCcFrK80voiAcr=hE9Jam8o%2B7UkFGhM6dmE38rhKeA@mail.gmail.com> In-Reply-To: <20210927091710.GA21625@ravenloft.kiev.ua> References: <202109201433.18KEXHRJ053338@gitrepo.freebsd.org> <20210927091710.GA21625@ravenloft.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 27, 2021 at 11:17 AM Alex Kozlov <ak@freebsd.org> wrote: > > On Mon, Sep 20, 2021 at 02:33:17PM +0000, Bernhard Froehlich wrote: > > The branch main has been updated by decke: > > > > URL: https://cgit.FreeBSD.org/ports/commit/?id=8e36aa89c5357316ed5bf1cc3d877624b51e21a6 > > > > commit 8e36aa89c5357316ed5bf1cc3d877624b51e21a6 > > Author: Bernhard Froehlich <decke@FreeBSD.org> > > AuthorDate: 2021-09-20 14:18:16 +0000 > > Commit: Bernhard Froehlich <decke@FreeBSD.org> > > CommitDate: 2021-09-20 14:18:16 +0000 > > > > archivers/ha: Add CPE information > > > > Approved by: portmgr (blanket) > > --- > > archivers/ha/Makefile | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/archivers/ha/Makefile b/archivers/ha/Makefile > > index 3e69951b4d82..15f05c41b881 100644 > > --- a/archivers/ha/Makefile > > +++ b/archivers/ha/Makefile > > @@ -16,7 +16,8 @@ NO_WRKSUBDIR= yes > > PLIST_FILES= bin/ha > > MAKEFILE= makefile.nix > > ALL_TARGET= ha > > -USES= gmake tar:tgz > > +USES= cpe gmake tar:tgz > > +CPE_VENDOR= linux-ha > Are you sure that linux-ha (High-Availability Linux) cpe.vendor is applicable > to archivers/ha (Hirvola's archiver)? Thanks for having a look! Being curious is definitely good because I only spend a few minutes per port to decide if that is a match or not. I remember that this looked pretty strange to me as well but here is what the data says. Lookup in the CPE Dictionary for "cpe:2.3:a:linux-ha:ha" gives me: https://nvd.nist.gov/products/cpe/detail/917416?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Alinux-ha%3Aha&status=FINAL That points me to: http://www.linux-ha.org/wiki/Main_Page => dead, wayback machine https://web.archive.org/web/20210214054305/http://www.linux-ha.org/wiki/Main_Page => "The Linux-HA project maintains a set of building blocks for high availability cluster systems" so definitely not the archiver https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774954 => CVE-2015-1198 https://www.openwall.com/lists/oss-security/2015/01/18/8 => points to debian bug above https://nvd.nist.gov/vuln/detail/CVE-2015-1198 The Debian page definitely uses the name "Harri Hirvola" which seems to be the author of that archiver. The CVE talks about a directory traversal vulnerability in an archiver so this sounds like what I expected. After all this looks like the CVE points to an incorrect CPE entry. I will contact MITRE to dispute that CPE entry and in the portstree I will revert the commit. Please also have a look at CVE-2015-1198 and take some actions because our port is very likely also vulnerable. -- Bernhard Froehlich http://www.bluelife.at/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAE-m3X35RCcFrK80voiAcr=hE9Jam8o%2B7UkFGhM6dmE38rhKeA>