[arch-security] CVEs in Arch Linux (current, future tracking)

Ikey Doherty ikey at solus-project.com
Wed Apr 15 19:18:12 UTC 2015


Hi,

Today I added initial PKGBUILD support to cve-check-tool [1],
an automated CVE checking tool that works with the NVD
Database, matching versions, etc, with a given source
repository.

Currently patch detection is very flaky, as there doesn't
appear to be a consistent naming for CVE patches within
Arch Linux. I would appreciate if someone could work with
me to improve the patch detection within cve-check-tool,
or work towards patch name standardisation within Arch
Linux.

Below is an initial list of CVEs I cannot determine are
actually patched (by  manually looking) - so some of them
are potentially false positives. Also note that CVE
name mapping (CPE fields) support isn't in cve-check-tool
yet, this is something I'd also like to see Arch Linux
implement to ensure a maximum surface area during checks.

Note the following appeared for glibc, I haven't had time
to check them:

CVE-2014-7817 CVE-2014-8121

[1] https://github.com/ikeydoherty/cve-check-tool

- ikey

packages/ namespace:

exiv2: CVE-2014-9449
libzip: CVE-2015-2331
htdig: CVE-2005-0085
gksu: CVE-2014-2886
cpio: CVE-2015-1197
libtar: CVE-2013-4420
mod_fcgid: CVE-2013-4365
net-snmp: CVE-2014-2285
arora: CVE-2011-3367
rsync: CVE-2014-9512
libarchive: CVE-2013-0211 CVE-2015-2304
vorbis-tools: CVE-2014-9638 CVE-2014-9640
id3lib: CVE-2007-4460
compface: CVE-2009-2286
procmail: CVE-2014-3618
xchat: CVE-2011-5129
vte: CVE-2012-2738
fcgi: CVE-2012-6687
fastjar: CVE-2010-0831 CVE-2010-2322
ppp: CVE-2014-3158
libyaml: CVE-2014-9130
potrace: CVE-2013-7437
unzip: CVE-2014-9636
lynx: CVE-2010-2810

community/ namespace:

hsolink: CVE-2010-1671 CVE-201-2929 CVE-2010-2930
arpwatch: CVE-2012-2653
echoping: CVE-2010-5111
vsftpd: CVE-2015-1419
imlib: CVE-2007-3568
uudeview: CVE-2008-2266
clearsilver: CVE-2011-4357
dtach: CVE-2012-3368
devil: CVE-2009-3994
libnids: CVE-2010-0751
tuxguitar: CVE-2010-3385
pstotext: CVE-2006-5869
plib: CVE-2011-4620 CVE-2012-4552
dopewars: CVE-2009-3591
xloadimage: CVE-2001-0775 CVE-2005-3178
xv: CVE-2004-1726 CVE-2004-1726 CVE-2005-0665
trickle: CVE-2009-0415

P.S. Apologies if message comes through twice, issues.


More information about the arch-security mailing list