git: 8e36aa89c535 - main - archivers/ha: Add CPE information
Bernhard Fröhlich
decke at freebsd.org
Mon Sep 27 11:26:31 UTC 2021
On Mon, Sep 27, 2021 at 11:17 AM Alex Kozlov <ak at freebsd.org> wrote:
>
> On Mon, Sep 20, 2021 at 02:33:17PM +0000, Bernhard Froehlich wrote:
> > The branch main has been updated by decke:
> >
> > URL: https://cgit.FreeBSD.org/ports/commit/?id=8e36aa89c5357316ed5bf1cc3d877624b51e21a6
> >
> > commit 8e36aa89c5357316ed5bf1cc3d877624b51e21a6
> > Author: Bernhard Froehlich <decke at FreeBSD.org>
> > AuthorDate: 2021-09-20 14:18:16 +0000
> > Commit: Bernhard Froehlich <decke at FreeBSD.org>
> > CommitDate: 2021-09-20 14:18:16 +0000
> >
> > archivers/ha: Add CPE information
> >
> > Approved by: portmgr (blanket)
> > ---
> > archivers/ha/Makefile | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/archivers/ha/Makefile b/archivers/ha/Makefile
> > index 3e69951b4d82..15f05c41b881 100644
> > --- a/archivers/ha/Makefile
> > +++ b/archivers/ha/Makefile
> > @@ -16,7 +16,8 @@ NO_WRKSUBDIR= yes
> > PLIST_FILES= bin/ha
> > MAKEFILE= makefile.nix
> > ALL_TARGET= ha
> > -USES= gmake tar:tgz
> > +USES= cpe gmake tar:tgz
> > +CPE_VENDOR= linux-ha
> Are you sure that linux-ha (High-Availability Linux) cpe.vendor is applicable
> to archivers/ha (Hirvola's archiver)?
Thanks for having a look! Being curious is definitely good because I
only spend a few minutes
per port to decide if that is a match or not.
I remember that this looked pretty strange to me as well but here is
what the data says.
Lookup in the CPE Dictionary for "cpe:2.3:a:linux-ha:ha" gives me:
https://nvd.nist.gov/products/cpe/detail/917416?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Alinux-ha%3Aha&status=FINAL
That points me to:
http://www.linux-ha.org/wiki/Main_Page => dead, wayback machine
https://web.archive.org/web/20210214054305/http://www.linux-ha.org/wiki/Main_Page
=>
"The Linux-HA project maintains a set of building blocks for high
availability cluster systems"
so definitely not the archiver
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774954 => CVE-2015-1198
https://www.openwall.com/lists/oss-security/2015/01/18/8 => points to
debian bug above
https://nvd.nist.gov/vuln/detail/CVE-2015-1198
The Debian page definitely uses the name "Harri Hirvola" which seems
to be the author of
that archiver. The CVE talks about a directory traversal vulnerability
in an archiver so this
sounds like what I expected.
After all this looks like the CVE points to an incorrect CPE entry. I
will contact MITRE to
dispute that CPE entry and in the portstree I will revert the commit.
Please also have a look at CVE-2015-1198 and take some actions because
our port is
very likely also vulnerable.
--
Bernhard Froehlich
http://www.bluelife.at/
More information about the dev-commits-ports-all
mailing list