Home Explore Help
Register Sign In
PUBLIC_REPOS
/
buildroot
mirror of git://git.buildroot.net/buildroot
2
1
Fork 0
Files
Browse Source

support/scripts/cve.py: properly match CPEs with version '*'

Currently, when the version encoded in a CPE is '-', we assume all
versions are affected, but when it's '*' with no further range
information, we assume no version is affected.

This doesn't make sense, so instead, we handle '*' and '-' in the same
way. If there's no version information available in the CVE CPE ID, we
assume all versions are affected.

This increases quite a bit the number of CVEs and package affected:

-    "total-cves": 302,
-    "pkg-cves": 100,
+    "total-cves": 597,
+    "pkg-cves": 135,

For example, CVE-2007-4476 has a CPE ID of:

    cpe:2.3:a:gnu:tar:*:*:*:*:*:*:*:*

So it should be taken into account. In this specific case, it is
combined with an AND with CPE ID
cpe:2.3:o:suse:suse_linux:10:*:enterprise_server:*:*:*:*:* but since
we don't support this kind of matching, we'd better be on the safe
side, and report this CVE as affecting tar, do an analysis of the CVE
impact, and document it in TAR_IGNORE_CVES.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas Petazzoni 4 years ago
parent
3f2ccb4682
commit
1ff7f003e1
1 changed files with 1 additions and 8 deletions
Unified View Show Diff Stats
  1. 1 8
      support/scripts/cve.py

+ 1 - 8
support/scripts/cve.py
View File 

@@ -144,10 +144,6 @@ class CVE:
 
                 # Version is defined, this is a '=' match
 
                 # Version is defined, this is a '=' match
 
                 op_start = '='
 
                 op_start = '='
 
                 v_start = version
 
                 v_start = version
 
-            elif version == '-':
 
-                # no version information is available
 
-                op_start = '='
 
-                v_start = version
 
             else:
 
             else:
 
                 # Parse start version, end version and operators
 
                 # Parse start version, end version and operators
 
                 if 'versionStartIncluding' in cpe:
 
                 if 'versionStartIncluding' in cpe:
 
@@ -206,11 +202,8 @@ class CVE:
 
         for cpe in self.each_cpe():
 
         for cpe in self.each_cpe():
 
             if cpe['product'] != name:
 
             if cpe['product'] != name:
 
                 continue
 
                 continue
 
-            if cpe['v_start'] == '-':
 
-                return self.CVE_AFFECTS
 
             if not cpe['v_start'] and not cpe['v_end']:
 
             if not cpe['v_start'] and not cpe['v_end']:
 
-                print("No CVE affected version")
 
-                continue
 
+                return self.CVE_AFFECTS
 
             if not pkg_version:
 
             if not pkg_version:
 
                 continue
 
                 continue