[arch-security] CVEs in Arch Linux (current, future tracking)

Ikey Doherty ikey at solus-project.com
Thu Apr 16 00:12:29 UTC 2015 


On 16/04/15 01:02, Levente Polyak wrote:
> On 04/16/2015 01:41 AM, Ikey Doherty wrote:
>> To provide a shorter response: I'm in no way saying its the only
>> tool to use, its just one part of a process. I'm also not saying
>> we're going to rely solely on NVD in the future, hence my comment
>> regarding "increase the amount of information", i.e. we would
>> monitor multiple sources within cve-check-tool, and cve-check-tool
>> is just one part of a set of tools.
>>
>> Regardless, this topic derailed quickly, I simply provided you
>> with a means and a set of potential CVEs - my main interest is
>> if someone intends to look into the patch naming situation.
>> I don't use Arch Linux myself so wouldn't be the one to be
>> able to implement it without assistance.
>>
>> - ikey
>
> (Please always bottom-post)
>
> I was just answering to all the information that you have posted in
> reply, nothing more nothing less!

Not suggesting otherwise. ^^

>
> Also I already answered in a very positive way to your initial
> questions: its a great tool and I want to integrate it as additional
> source into the standard procedure for the security mitigation work we
> do in Arch Linux, look at my very first answer!

Yup I just didn't want to send it offtopic myself. Again, not suggesting
otherwise ^^ Mostly clarifying the what is/what isn't wrt. the tool.

>
> Additionally I already provided some details on how you could improve
> the pkgbuild CVE id matching in the short term, but I will repeat it:
> - check CVE-ID is part of the *.patch filename at any position,
>    allowing arbitrary prefix and suffix
> - also take into account that one patch filename may contain multiple
>    CVE IDs.
>

So with this method I can catch a *few* of them, i.e. by doing globs,
but looking through there are some that won't be caught here. But its
a start :) It will slow down runs of the tool but there's little can
be done at this point to avoid that.


> As I have already pointed out, I will also throw the patch-naming
> situation into a discussion round (but can't yet promise anything). I
> think I got all your initial points already and also offered and
> provided assistance to those. ;-)
>

Tbh patch naming for CVEs only became more of an issue to me when
writing the tool, up until that point I personally had no reason for
even doing it in my own projects :) (normally git format-patch, etc.)

- ikey

> cheers
> Levente
>

More information about the arch-security mailing list