[arch-security] CVEs in Arch Linux (current, future tracking)
Ikey Doherty
ikey at solus-project.com
Wed Apr 15 19:18:12 UTC 2015
Hi,
Today I added initial PKGBUILD support to cve-check-tool [1],
an automated CVE checking tool that works with the NVD
Database, matching versions, etc, with a given source
repository.
Currently patch detection is very flaky, as there doesn't
appear to be a consistent naming for CVE patches within
Arch Linux. I would appreciate if someone could work with
me to improve the patch detection within cve-check-tool,
or work towards patch name standardisation within Arch
Linux.
Below is an initial list of CVEs I cannot determine are
actually patched (by manually looking) - so some of them
are potentially false positives. Also note that CVE
name mapping (CPE fields) support isn't in cve-check-tool
yet, this is something I'd also like to see Arch Linux
implement to ensure a maximum surface area during checks.
Note the following appeared for glibc, I haven't had time
to check them:
CVE-2014-7817 CVE-2014-8121
[1] https://github.com/ikeydoherty/cve-check-tool
- ikey
packages/ namespace:
exiv2: CVE-2014-9449
libzip: CVE-2015-2331
htdig: CVE-2005-0085
gksu: CVE-2014-2886
cpio: CVE-2015-1197
libtar: CVE-2013-4420
mod_fcgid: CVE-2013-4365
net-snmp: CVE-2014-2285
arora: CVE-2011-3367
rsync: CVE-2014-9512
libarchive: CVE-2013-0211 CVE-2015-2304
vorbis-tools: CVE-2014-9638 CVE-2014-9640
id3lib: CVE-2007-4460
compface: CVE-2009-2286
procmail: CVE-2014-3618
xchat: CVE-2011-5129
vte: CVE-2012-2738
fcgi: CVE-2012-6687
fastjar: CVE-2010-0831 CVE-2010-2322
ppp: CVE-2014-3158
libyaml: CVE-2014-9130
potrace: CVE-2013-7437
unzip: CVE-2014-9636
lynx: CVE-2010-2810
community/ namespace:
hsolink: CVE-2010-1671 CVE-201-2929 CVE-2010-2930
arpwatch: CVE-2012-2653
echoping: CVE-2010-5111
vsftpd: CVE-2015-1419
imlib: CVE-2007-3568
uudeview: CVE-2008-2266
clearsilver: CVE-2011-4357
dtach: CVE-2012-3368
devil: CVE-2009-3994
libnids: CVE-2010-0751
tuxguitar: CVE-2010-3385
pstotext: CVE-2006-5869
plib: CVE-2011-4620 CVE-2012-4552
dopewars: CVE-2009-3591
xloadimage: CVE-2001-0775 CVE-2005-3178
xv: CVE-2004-1726 CVE-2004-1726 CVE-2005-0665
trickle: CVE-2009-0415
P.S. Apologies if message comes through twice, issues.
More information about the arch-security
mailing list