[arch-security] CVEs in Arch Linux (current, future tracking)
Levente Polyak
anthraxx at archlinux.org
Wed Apr 15 22:06:19 UTC 2015
Hey Ikey,
On 04/15/2015 09:18 PM, Ikey Doherty wrote:
> Today I added initial PKGBUILD support to cve-check-tool [1],
> an automated CVE checking tool that works with the NVD
> Database, matching versions, etc, with a given source
> repository.
Nice tool, looks really useful as an additional way to start tracking
affected packages that are sometimes otherwise missed. Unfortunately NVD
is often really heavily lacking behind so for aprox. half of the
actively mitigated packages there do not have assigned CVEs in the NVD
yet, but thats a different story :)
I think it makes really sense if I add your tool as an additional
automated CVE input source to the web-tracker that I'm developing for
the package mitigation process.
>
> Currently patch detection is very flaky, as there doesn't
> appear to be a consistent naming for CVE patches within
> Arch Linux. I would appreciate if someone could work with
> me to improve the patch detection within cve-check-tool,
> or work towards patch name standardisation within Arch
> Linux.
Yep thats true. Patch detection currently looks very simple, I'm aware
of several packages that are having patches that fall out of this scheme.
To name some: some patches have a postfix (or suffix), something like
-overflow or similar. Others are a combination of two or more CVE IDs in
a single filename and then there are also some that just have "random"
names describing what type its fixing rather then any relation to the CVE.
Patch name standardization for security related patches in Arch will not
be that easy as it's up to the maintainers, but at least I will start a
small chat/discussion round to speak about this topic.
>
> Below is an initial list of CVEs I cannot determine are
> actually patched (by manually looking) - so some of them
> are potentially false positives.
Thank you, its really appreciated. I will have a deep look into those in
the following days including a integral verification that those are
affected to start mitigation. I have already made a rough look and at
least I can clear out some of the false-positives that i have
re-verified right now:
glibc: CVE-2014-7817 (ensured its fixed in 2.21 via source, NVD fix
version is wrong, notice [0])
cpio: CVE-2015-1197
vorbis-tools: CVE-2014-9638 CVE-2014-9640
unzip: CVE-2014-9636
cheers
Levente
[0]
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a39208bd7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150416/2ccd5553/attachment.asc>
More information about the arch-security
mailing list