| Message ID | 20210123221956.237522-1-fontaine.fabrice@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/libtorrent-rasterbar: add CPE variables | expand |
On Sat, 23 Jan 2021 23:19:56 +0100 Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote: > cpe:2.3:a:libtorrent:libtorrent is a valid CPE identifier for this > package: > > https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibtorrent%3Alibtorrent > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > --- > package/libtorrent-rasterbar/libtorrent-rasterbar.mk | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/package/libtorrent-rasterbar/libtorrent-rasterbar.mk b/package/libtorrent-rasterbar/libtorrent-rasterbar.mk > index de8c122520..7f60252e9b 100644 > --- a/package/libtorrent-rasterbar/libtorrent-rasterbar.mk > +++ b/package/libtorrent-rasterbar/libtorrent-rasterbar.mk > @@ -9,6 +9,8 @@ LIBTORRENT_RASTERBAR_SITE = \ > https://github.com/arvidn/libtorrent/releases/download/v$(LIBTORRENT_RASTERBAR_VERSION) > LIBTORRENT_RASTERBAR_LICENSE = BSD-3-Clause > LIBTORRENT_RASTERBAR_LICENSE_FILES = COPYING > +LIBTORRENT_RASTERBAR_CPE_ID_VENDOR = libtorrent > +LIBTORRENT_RASTERBAR_CPE_ID_PRODUCT = libtorrent We also have package/libtorrent/ in Buildroot. How do we know for sure that the libtorrent:libtorrent CPE ID applies to package/libtorrent-rasterbar/ ? Yes indeed, the latest CPE ID known for libtorrent:libtorrent is 1.2.2, which is pretty close to the 1.2.12 we have in Buildroot for libtorrent-rasterbar. But other than that ? Thomas
Le sam. 23 janv. 2021 à 23:45, Thomas Petazzoni <thomas.petazzoni@bootlin.com> a écrit : > > On Sat, 23 Jan 2021 23:19:56 +0100 > Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote: > > > cpe:2.3:a:libtorrent:libtorrent is a valid CPE identifier for this > > package: > > > > https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibtorrent%3Alibtorrent > > > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > > --- > > package/libtorrent-rasterbar/libtorrent-rasterbar.mk | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/package/libtorrent-rasterbar/libtorrent-rasterbar.mk b/package/libtorrent-rasterbar/libtorrent-rasterbar.mk > > index de8c122520..7f60252e9b 100644 > > --- a/package/libtorrent-rasterbar/libtorrent-rasterbar.mk > > +++ b/package/libtorrent-rasterbar/libtorrent-rasterbar.mk > > @@ -9,6 +9,8 @@ LIBTORRENT_RASTERBAR_SITE = \ > > https://github.com/arvidn/libtorrent/releases/download/v$(LIBTORRENT_RASTERBAR_VERSION) > > LIBTORRENT_RASTERBAR_LICENSE = BSD-3-Clause > > LIBTORRENT_RASTERBAR_LICENSE_FILES = COPYING > > +LIBTORRENT_RASTERBAR_CPE_ID_VENDOR = libtorrent > > +LIBTORRENT_RASTERBAR_CPE_ID_PRODUCT = libtorrent > > We also have package/libtorrent/ in Buildroot. How do we know for sure > that the libtorrent:libtorrent CPE ID applies to > package/libtorrent-rasterbar/ ? Yes indeed, the latest CPE ID known for > libtorrent:libtorrent is 1.2.2, which is pretty close to the 1.2.12 we > have in Buildroot for libtorrent-rasterbar. But other than that ? Because, the NIST database contains the following information for this CPE (https://nvd.nist.gov/products/cpe/detail/659515?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Alibtorrent%3Alibtorrent&status=FINAL): Product http://libtorrent.org/ Version https://github.com/arvidn/libtorrent I was not able to find libtorrent (a.k.a. https://github.com/rakshasa/rtorrent) in the NIST database. > > Thomas > -- > Thomas Petazzoni, CTO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com Best Regards, Fabrice
On 2021-01-23 23:45 +0100, Thomas Petazzoni spake thusly: > On Sat, 23 Jan 2021 23:19:56 +0100 > Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote: > > > cpe:2.3:a:libtorrent:libtorrent is a valid CPE identifier for this > > package: > > > > https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibtorrent%3Alibtorrent > > > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > > --- > > package/libtorrent-rasterbar/libtorrent-rasterbar.mk | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/package/libtorrent-rasterbar/libtorrent-rasterbar.mk b/package/libtorrent-rasterbar/libtorrent-rasterbar.mk > > index de8c122520..7f60252e9b 100644 > > --- a/package/libtorrent-rasterbar/libtorrent-rasterbar.mk > > +++ b/package/libtorrent-rasterbar/libtorrent-rasterbar.mk > > @@ -9,6 +9,8 @@ LIBTORRENT_RASTERBAR_SITE = \ > > https://github.com/arvidn/libtorrent/releases/download/v$(LIBTORRENT_RASTERBAR_VERSION) > > LIBTORRENT_RASTERBAR_LICENSE = BSD-3-Clause > > LIBTORRENT_RASTERBAR_LICENSE_FILES = COPYING > > +LIBTORRENT_RASTERBAR_CPE_ID_VENDOR = libtorrent > > +LIBTORRENT_RASTERBAR_CPE_ID_PRODUCT = libtorrent > > We also have package/libtorrent/ in Buildroot. How do we know for sure > that the libtorrent:libtorrent CPE ID applies to > package/libtorrent-rasterbar/ ? Yes indeed, the latest CPE ID known for > libtorrent:libtorrent is 1.2.2, which is pretty close to the 1.2.12 we > have in Buildroot for libtorrent-rasterbar. But other than that ? libtorrent-rasterbar is the release archive of the libtorrent project; https://github.com/arvidn/libtorrent/releases/tag/v1.2.12 Applied to master, thanks. Regards, Yann E. MORIN. > Thomas > -- > Thomas Petazzoni, CTO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot
Thomas, All, On 2021-01-24 17:30 +0100, Yann E. MORIN spake thusly: > On 2021-01-23 23:45 +0100, Thomas Petazzoni spake thusly: > > On Sat, 23 Jan 2021 23:19:56 +0100 > > Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote: > > > cpe:2.3:a:libtorrent:libtorrent is a valid CPE identifier for this > > > package: > > > https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibtorrent%3Alibtorrent [--SNIP--] > > We also have package/libtorrent/ in Buildroot. How do we know for sure > > that the libtorrent:libtorrent CPE ID applies to > > package/libtorrent-rasterbar/ ? Yes indeed, the latest CPE ID known for > > libtorrent:libtorrent is 1.2.2, which is pretty close to the 1.2.12 we > > have in Buildroot for libtorrent-rasterbar. But other than that ? > libtorrent-rasterbar is the release archive of the libtorrent project; > https://github.com/arvidn/libtorrent/releases/tag/v1.2.12 Oh, sorry, I misunderstood you... libtorrent-rasterbar references two CVEs: commit a4b2f636cc6146b85558777cdda59fd55312a0e2 Author: Arvid Norberg <arvid@cs.umu.se> Date: Mon Jul 29 17:45:26 2019 -0700 update changelog to include CVE references diff --git a/ChangeLog b/ChangeLog index d301d9f1c..a9745286f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -223,7 +223,7 @@ * fix IPv6 tracker support by performing the second announce in * more cases * fix utf-8 encoding check in torrent parser * fix infinite loop when parsing maliciously crafted torrents - * fix invalid read in parse_int in bdecoder + * fix invalid read in parse_int in bdecoder (CVE-2017-9847) * fix issue with very long tracker- and web seed URLs * don't attempt to create empty files on startup, if they * already exist * fix force-recheck issue (new files would not be picked up) @@ -312,7 +312,7 @@ 1.1.1 release - * update puff.c for gzip inflation + * update puff.c for gzip inflation (CVE-2016-7164) * add dht_bootstrap_node a setting in settings_pack (and add * default) * make pad-file and symlink support conform to BEP47 * fix piece picker bug that could result in division by zero And those two CVEs are attrobuted to libtorrent in the NIST DB: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&seach_type=all&query=cpe:2.3:a:libtorrent:libtorrent:*:-:*:*:*:*:*:* Regards, Yann E. MORIN.
diff --git a/package/libtorrent-rasterbar/libtorrent-rasterbar.mk b/package/libtorrent-rasterbar/libtorrent-rasterbar.mk index de8c122520..7f60252e9b 100644 --- a/package/libtorrent-rasterbar/libtorrent-rasterbar.mk +++ b/package/libtorrent-rasterbar/libtorrent-rasterbar.mk @@ -9,6 +9,8 @@ LIBTORRENT_RASTERBAR_SITE = \ https://github.com/arvidn/libtorrent/releases/download/v$(LIBTORRENT_RASTERBAR_VERSION) LIBTORRENT_RASTERBAR_LICENSE = BSD-3-Clause LIBTORRENT_RASTERBAR_LICENSE_FILES = COPYING +LIBTORRENT_RASTERBAR_CPE_ID_VENDOR = libtorrent +LIBTORRENT_RASTERBAR_CPE_ID_PRODUCT = libtorrent LIBTORRENT_RASTERBAR_DEPENDENCIES = host-pkgconf boost openssl LIBTORRENT_RASTERBAR_INSTALL_STAGING = YES LIBTORRENT_RASTERBAR_CONF_OPTS = \
cpe:2.3:a:libtorrent:libtorrent is a valid CPE identifier for this package: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibtorrent%3Alibtorrent Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/libtorrent-rasterbar/libtorrent-rasterbar.mk | 2 ++ 1 file changed, 2 insertions(+)