From owner-dev-commits-ports-main@freebsd.org Mon Sep 27 11:26:31 2021 Return-Path: Delivered-To: dev-commits-ports-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C1EBE6B32F8 for ; Mon, 27 Sep 2021 11:26:31 +0000 (UTC) (envelope-from decke@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HJ0hR4vZLz4rDX for ; Mon, 27 Sep 2021 11:26:31 +0000 (UTC) (envelope-from decke@freebsd.org) Received: from mail-il1-f179.google.com (mail-il1-f179.google.com [209.85.166.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: decke) by smtp.freebsd.org (Postfix) with ESMTPSA id 818A21837 for ; Mon, 27 Sep 2021 11:26:31 +0000 (UTC) (envelope-from decke@freebsd.org) Received: by mail-il1-f179.google.com with SMTP id b6so18878625ilv.0 for ; Mon, 27 Sep 2021 04:26:31 -0700 (PDT) X-Gm-Message-State: AOAM532fV0rldbQ16IvWASV28lFuNwQ/kJDbCb3Dd4Vtp1rCkjktG8l8 ofaMDYTNEWiuvJ2+dqbvNmFHjE+Si+jIAnxgK+uGow== X-Google-Smtp-Source: ABdhPJyqT9mI7olxBRsSd5vVQc6nFVCabJ9iXeVm328i3MX11Wyk5J/9Dee8XqFyqSHARU1DXaT5F33KN43DROyXp/E= X-Received: by 2002:a92:cbc2:: with SMTP id s2mr19065265ilq.228.1632741990751; Mon, 27 Sep 2021 04:26:30 -0700 (PDT) MIME-Version: 1.0 References: <202109201433.18KEXHRJ053338@gitrepo.freebsd.org> <20210927091710.GA21625@ravenloft.kiev.ua> In-Reply-To: <20210927091710.GA21625@ravenloft.kiev.ua> From: =?UTF-8?Q?Bernhard_Fr=C3=B6hlich?= Date: Mon, 27 Sep 2021 13:26:14 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: git: 8e36aa89c535 - main - archivers/ha: Add CPE information To: Alex Kozlov Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Content-Type: text/plain; charset="UTF-8" X-BeenThere: dev-commits-ports-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the main branch of the FreeBSD ports repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Sep 2021 11:26:31 -0000 On Mon, Sep 27, 2021 at 11:17 AM Alex Kozlov wrote: > > On Mon, Sep 20, 2021 at 02:33:17PM +0000, Bernhard Froehlich wrote: > > The branch main has been updated by decke: > > > > URL: https://cgit.FreeBSD.org/ports/commit/?id=8e36aa89c5357316ed5bf1cc3d877624b51e21a6 > > > > commit 8e36aa89c5357316ed5bf1cc3d877624b51e21a6 > > Author: Bernhard Froehlich > > AuthorDate: 2021-09-20 14:18:16 +0000 > > Commit: Bernhard Froehlich > > CommitDate: 2021-09-20 14:18:16 +0000 > > > > archivers/ha: Add CPE information > > > > Approved by: portmgr (blanket) > > --- > > archivers/ha/Makefile | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/archivers/ha/Makefile b/archivers/ha/Makefile > > index 3e69951b4d82..15f05c41b881 100644 > > --- a/archivers/ha/Makefile > > +++ b/archivers/ha/Makefile > > @@ -16,7 +16,8 @@ NO_WRKSUBDIR= yes > > PLIST_FILES= bin/ha > > MAKEFILE= makefile.nix > > ALL_TARGET= ha > > -USES= gmake tar:tgz > > +USES= cpe gmake tar:tgz > > +CPE_VENDOR= linux-ha > Are you sure that linux-ha (High-Availability Linux) cpe.vendor is applicable > to archivers/ha (Hirvola's archiver)? Thanks for having a look! Being curious is definitely good because I only spend a few minutes per port to decide if that is a match or not. I remember that this looked pretty strange to me as well but here is what the data says. Lookup in the CPE Dictionary for "cpe:2.3:a:linux-ha:ha" gives me: https://nvd.nist.gov/products/cpe/detail/917416?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Alinux-ha%3Aha&status=FINAL That points me to: http://www.linux-ha.org/wiki/Main_Page => dead, wayback machine https://web.archive.org/web/20210214054305/http://www.linux-ha.org/wiki/Main_Page => "The Linux-HA project maintains a set of building blocks for high availability cluster systems" so definitely not the archiver https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774954 => CVE-2015-1198 https://www.openwall.com/lists/oss-security/2015/01/18/8 => points to debian bug above https://nvd.nist.gov/vuln/detail/CVE-2015-1198 The Debian page definitely uses the name "Harri Hirvola" which seems to be the author of that archiver. The CVE talks about a directory traversal vulnerability in an archiver so this sounds like what I expected. After all this looks like the CVE points to an incorrect CPE entry. I will contact MITRE to dispute that CPE entry and in the portstree I will revert the commit. Please also have a look at CVE-2015-1198 and take some actions because our port is very likely also vulnerable. -- Bernhard Froehlich http://www.bluelife.at/