package/pkg-generic.mk: use more sensible default value for <pkg>_CPE_ID_UPDATE
Setting the "update" field in the CPE ID to * doesn't actually make much sense, as * is a wildcard. Instead, this field should really reflect the "subrelease" / "update" of the package, which unless specified explicitly by the package .mk file, is empty. Using a wildcard causes a few CVEs to be incorrectly identified as affecting some of our packages. For example https://nvd.nist.gov/vuln/detail/CVE-2013-1428 has a CPE configuration that goes like this: cpe:2.3🅰️tinc-vpn:tinc:*:pre6:*:*:*:*:*:* up to including 1.1 and this CPE configuration is currently identified as affecting our package. This isn't correct as our package is using 1.0.36, not a "pre6" version. But because the CPE ID generated by Buildroot uses * as the "update" field, and * is the wildcard, it does match with this CPE configuration. After this change, two CVEs are no longer identified as affecting Buildroot packages: https://nvd.nist.gov/vuln/detail/CVE-2013-1428 https://nvd.nist.gov/vuln/detail/CVE-2017-9454 and in both cases they are indeed CVEs not affecting our package. Reported-by: Titouan Christophe <titouan.christophe@mind.be> Cc: Titouan Christophe <titouan.christophe@mind.be> Cc: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Reviewed-by: Titouan Christophe <titouan.christophe@mind.be> Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This commit is contained in:
Thomas Petazzoni
committed by
Arnout Vandecappelle
Arnout Vandecappelle
parent
2218f02155
commit
53a8616460
@@ -727,8 +727,6 @@ ifeq ($$($(2)_CPE_ID_VALID),YES)
|
||||
ifndef $(2)_CPE_ID_UPDATE
|
||||
ifdef $(3)_CPE_ID_UPDATE
|
||||
$(2)_CPE_ID_UPDATE = $$($(3)_CPE_ID_UPDATE)
|
||||
else
|
||||
$(2)_CPE_ID_UPDATE = *
|
||||
endif
|
||||
endif
|
||||
|
||||
|
||||
Reference in New Issue
Block a user