From e464ac667297d2acf57e52438a39cadc87b95da2 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 15 Oct 2019 10:21:41 +0200 Subject: tests: Skip container test when lacking kernel support. This is a followup to 96b35998e610c7fc37bf87bf9e07e63d3bebd0a3. * tests/containers.scm ("eval/container, non-empty load path"): Add missing 'skip-if-unsupported' call. --- tests/containers.scm | 1 + 1 file changed, 1 insertion(+) (limited to 'tests') diff --git a/tests/containers.scm b/tests/containers.scm index 01fbcbb45a..7b63e5c108 100644 --- a/tests/containers.scm +++ b/tests/containers.scm @@ -269,6 +269,7 @@ (lset= string=? (cons* "." ".." (map basename reqs)) (pk (call-with-input-file result read)))))))))) +(skip-if-unsupported) (test-assert "eval/container, non-empty load path" (call-with-temporary-directory (lambda (directory) -- cgit 1.4.1 From 81c580c8664bfeeb767e2c47ea343004e88223c7 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Wed, 16 Oct 2019 11:51:42 +0200 Subject: daemon: Make 'profiles/per-user' non-world-writable. Fixes . Reported at . Based on Nix commit 5a303093dcae1e5ce9212616ef18f2ca51020b0d by Eelco Dolstra . * nix/libstore/local-store.cc (LocalStore::LocalStore): Set 'perUserDir' to #o755 instead of #o1777. (LocalStore::createUser): New function. * nix/libstore/local-store.hh (LocalStore): Add it. * nix/libstore/store-api.hh (StoreAPI): Add it. * nix/nix-daemon/nix-daemon.cc (performOp): In 'wopSetOptions', add condition to handle "user-name" property and honor it. (processConnection): Add 'userId' parameter. Call 'store->createUser' when userId is not -1. * guix/profiles.scm (ensure-profile-directory): Note that this is now handled by the daemon. * guix/store.scm (current-user-name): New procedure. (set-build-options): Add #:user-name parameter and pass it to the daemon. * tests/guix-daemon.sh: Test the creation of 'profiles/per-user' when listening on a TCP socket. * tests/store.scm ("profiles/per-user exists and is not writable") ("profiles/per-user/$USER exists"): New tests. --- guix/profiles.scm | 3 ++- guix/store.scm | 12 ++++++++++++ nix/libstore/local-store.cc | 17 +++++++++++++++-- nix/libstore/local-store.hh | 2 ++ nix/libstore/store-api.hh | 4 ++++ nix/nix-daemon/nix-daemon.cc | 24 ++++++++++++++++++++++-- tests/guix-daemon.sh | 21 +++++++++++++++++++++ tests/store.scm | 13 ++++++++++++- 8 files changed, 90 insertions(+), 6 deletions(-) (limited to 'tests') diff --git a/guix/profiles.scm b/guix/profiles.scm index f5c863945c..cd3b21e390 100644 --- a/guix/profiles.scm +++ b/guix/profiles.scm @@ -1732,7 +1732,8 @@ because the NUMBER is zero.)" (string-append %profile-directory "/guix-profile")) (define (ensure-profile-directory) - "Attempt to create /…/profiles/per-user/$USER if needed." + "Attempt to create /…/profiles/per-user/$USER if needed. Nowadays this is +taken care of by the daemon." (let ((s (stat %profile-directory #f))) (unless (and s (eq? 'directory (stat:type s))) (catch 'system-error diff --git a/guix/store.scm b/guix/store.scm index d7c603898c..382aad29d9 100644 --- a/guix/store.scm +++ b/guix/store.scm @@ -748,6 +748,14 @@ encoding conversion errors." (cut string-append "http://" <>)) '("ci.guix.gnu.org"))) +(define (current-user-name) + "Return the name of the calling user." + (catch #t + (lambda () + (passwd:name (getpwuid (getuid)))) + (lambda _ + (getenv "USER")))) + (define* (set-build-options server #:key keep-failed? keep-going? fallback? (verbosity 0) @@ -759,6 +767,7 @@ encoding conversion errors." (build-verbosity 0) (log-type 0) (print-build-trace #t) + (user-name (current-user-name)) ;; When true, provide machine-readable "build ;; traces" for use by (guix status). Old clients @@ -849,6 +858,9 @@ encoding conversion errors." `(("build-repeat" . ,(number->string (max 0 (1- rounds))))) '()) + ,@(if user-name + `(("user-name" . ,user-name)) + '()) ,@(if terminal-columns `(("terminal-columns" . ,(number->string terminal-columns))) diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index 3b08492c64..3793382361 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -88,8 +88,9 @@ LocalStore::LocalStore(bool reserveSpace) Path perUserDir = profilesDir + "/per-user"; createDirs(perUserDir); - if (chmod(perUserDir.c_str(), 01777) == -1) - throw SysError(format("could not set permissions on '%1%' to 1777") % perUserDir); + if (chmod(perUserDir.c_str(), 0755) == -1) + throw SysError(format("could not set permissions on '%1%' to 755") + % perUserDir); mode_t perm = 01775; @@ -1642,4 +1643,16 @@ void LocalStore::vacuumDB() } +void LocalStore::createUser(const std::string & userName, uid_t userId) +{ + auto dir = settings.nixStateDir + "/profiles/per-user/" + userName; + + createDirs(dir); + if (chmod(dir.c_str(), 0755) == -1) + throw SysError(format("changing permissions of directory '%s'") % dir); + if (chown(dir.c_str(), userId, -1) == -1) + throw SysError(format("changing owner of directory '%s'") % dir); +} + + } diff --git a/nix/libstore/local-store.hh b/nix/libstore/local-store.hh index 4113fafcb5..2e48cf03e6 100644 --- a/nix/libstore/local-store.hh +++ b/nix/libstore/local-store.hh @@ -180,6 +180,8 @@ public: void setSubstituterEnv(); + void createUser(const std::string & userName, uid_t userId); + private: Path schemaPath; diff --git a/nix/libstore/store-api.hh b/nix/libstore/store-api.hh index 2d9dcbd573..7d2ad2270d 100644 --- a/nix/libstore/store-api.hh +++ b/nix/libstore/store-api.hh @@ -289,6 +289,10 @@ public: /* Check the integrity of the Nix store. Returns true if errors remain. */ virtual bool verifyStore(bool checkContents, bool repair) = 0; + + /* Create a profile for the given user. This is done by the daemon + because the 'profiles/per-user' directory is not writable by users. */ + virtual void createUser(const std::string & userName, uid_t userId) = 0; }; diff --git a/nix/nix-daemon/nix-daemon.cc b/nix/nix-daemon/nix-daemon.cc index 1163a249d1..3dd156ba77 100644 --- a/nix/nix-daemon/nix-daemon.cc +++ b/nix/nix-daemon/nix-daemon.cc @@ -613,6 +613,17 @@ static void performOp(bool trusted, unsigned int clientVersion, || name == "build-repeat" || name == "multiplexed-build-output") settings.set(name, value); + else if (name == "user-name" + && settings.clientUid == (uid_t) -1) { + /* Create the user profile. This is necessary if + clientUid = -1, for instance because the client + connected over TCP. */ + struct passwd *pw = getpwnam(value.c_str()); + if (pw != NULL) + store->createUser(value, pw->pw_uid); + else + printMsg(lvlInfo, format("user name %1% not found") % value); + } else settings.set(trusted ? name : "untrusted-" + name, value); } @@ -731,7 +742,7 @@ static void performOp(bool trusted, unsigned int clientVersion, } -static void processConnection(bool trusted) +static void processConnection(bool trusted, uid_t userId) { canSendStderr = false; _writeToStderr = tunnelStderr; @@ -778,6 +789,15 @@ static void processConnection(bool trusted) /* Open the store. */ store = std::shared_ptr(new LocalStore(reserveSpace)); + if (userId != (uid_t) -1) { + /* Create the user profile. */ + struct passwd *pw = getpwuid(userId); + if (pw != NULL && pw->pw_name != NULL) + store->createUser(pw->pw_name, userId); + else + printMsg(lvlInfo, format("user with UID %1% not found") % userId); + } + stopWork(); to.flush(); @@ -963,7 +983,7 @@ static void acceptConnection(int fdSocket) /* Handle the connection. */ from.fd = remote; to.fd = remote; - processConnection(trusted); + processConnection(trusted, clientUid); exit(0); }, false, "unexpected build daemon error: ", true); diff --git a/tests/guix-daemon.sh b/tests/guix-daemon.sh index 758f18cc36..b58500966b 100644 --- a/tests/guix-daemon.sh +++ b/tests/guix-daemon.sh @@ -94,6 +94,27 @@ done kill "$daemon_pid" +# Make sure 'profiles/per-user' is created when connecting over TCP. + +orig_GUIX_STATE_DIRECTORY="$GUIX_STATE_DIRECTORY" +GUIX_STATE_DIRECTORY="$GUIX_STATE_DIRECTORY-2" + +guix-daemon --disable-chroot --listen="localhost:9877" & +daemon_pid=$! + +GUIX_DAEMON_SOCKET="guix://localhost:9877" +export GUIX_DAEMON_SOCKET + +test ! -d "$GUIX_STATE_DIRECTORY/profiles/per-user" + +guix build guile-bootstrap -d + +test -d "$GUIX_STATE_DIRECTORY/profiles/per-user/$USER" + +kill "$daemon_pid" +unset GUIX_DAEMON_SOCKET +GUIX_STATE_DIRECTORY="$orig_GUIX_STATE_DIRECTORY" + # Check the failed build cache. guix-daemon --no-substitutes --listen="$socket" --disable-chroot \ diff --git a/tests/store.scm b/tests/store.scm index 518750d26a..2b14a4af0a 100644 --- a/tests/store.scm +++ b/tests/store.scm @@ -18,6 +18,7 @@ (define-module (test-store) #:use-module (guix tests) + #:use-module (guix config) #:use-module (guix store) #:use-module (guix utils) #:use-module (guix monads) @@ -102,7 +103,17 @@ "/283gqy39v3g9dxjy26rynl0zls82fmcg-guile-2.0.7/bin/guile"))) (not (direct-store-path? (%store-prefix))))) -(test-skip (if %store 0 13)) +(test-skip (if %store 0 15)) + +(test-equal "profiles/per-user exists and is not writable" + #o755 + (stat:perms (stat (string-append %state-directory "/profiles/per-user")))) + +(test-equal "profiles/per-user/$USER exists" + (list (getuid) #o755) + (let ((s (stat (string-append %state-directory "/profiles/per-user/" + (passwd:name (getpwuid (getuid))))))) + (list (stat:uid s) (stat:perms s)))) (test-equal "add-data-to-store" #vu8(1 2 3 4 5) -- cgit 1.4.1 From 79c03e55e26d88c8d327daced02367abe7f17f91 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 20 Oct 2019 22:03:12 +0200 Subject: tests: Avoid now-deprecated 'make-struct'. * tests/cve.scm (vulnerability): Use 'make-struct/no-tail' instead of 'make-struct', which is deprecated. * tests/lint.scm ("cve: one vulnerability") ("cve: one patched vulnerability") ("cve: known safe from vulnerability") ("cve: vulnerability fixed in replacement version") ("cve: patched vulnerability in replacement"): Likewise. --- tests/cve.scm | 2 +- tests/lint.scm | 40 ++++++++++++++++++++-------------------- 2 files changed, 21 insertions(+), 21 deletions(-) (limited to 'tests') diff --git a/tests/cve.scm b/tests/cve.scm index 3fbb22d3c6..e95b21c073 100644 --- a/tests/cve.scm +++ b/tests/cve.scm @@ -25,7 +25,7 @@ (search-path %load-path "tests/cve-sample.xml")) (define (vulnerability id packages) - (make-struct (@@ (guix cve) ) 0 id packages)) + (make-struct/no-tail (@@ (guix cve) ) id packages)) (define %expected-vulnerabilities ;; What we should get when reading %SAMPLE. diff --git a/tests/lint.scm b/tests/lint.scm index 1b92f02b85..3a9b539a24 100644 --- a/tests/lint.scm +++ b/tests/lint.scm @@ -758,10 +758,10 @@ "probably vulnerable to CVE-2015-1234" (mock ((guix lint) package-vulnerabilities (lambda (package) - (list (make-struct (@@ (guix cve) ) 0 - "CVE-2015-1234" - (list (cons (package-name package) - (package-version package))))))) + (list (make-struct/no-tail (@@ (guix cve) ) + "CVE-2015-1234" + (list (cons (package-name package) + (package-version package))))))) (single-lint-warning-message (check-vulnerabilities (dummy-package "pi" (version "3.14")))))) @@ -769,10 +769,10 @@ '() (mock ((guix lint) package-vulnerabilities (lambda (package) - (list (make-struct (@@ (guix cve) ) 0 - "CVE-2015-1234" - (list (cons (package-name package) - (package-version package))))))) + (list (make-struct/no-tail (@@ (guix cve) ) + "CVE-2015-1234" + (list (cons (package-name package) + (package-version package))))))) (check-vulnerabilities (dummy-package "pi" (version "3.14") @@ -785,10 +785,10 @@ '() (mock ((guix lint) package-vulnerabilities (lambda (package) - (list (make-struct (@@ (guix cve) ) 0 - "CVE-2015-1234" - (list (cons (package-name package) - (package-version package))))))) + (list (make-struct/no-tail (@@ (guix cve) ) + "CVE-2015-1234" + (list (cons (package-name package) + (package-version package))))))) (check-vulnerabilities (dummy-package "pi" (version "3.14") @@ -800,10 +800,10 @@ (lambda (package) (match (package-version package) ("0" - (list (make-struct (@@ (guix cve) ) 0 - "CVE-2015-1234" - (list (cons (package-name package) - (package-version package)))))) + (list (make-struct/no-tail (@@ (guix cve) ) + "CVE-2015-1234" + (list (cons (package-name package) + (package-version package)))))) ("1" '())))) (check-vulnerabilities @@ -815,10 +815,10 @@ '() (mock ((guix lint) package-vulnerabilities (lambda (package) - (list (make-struct (@@ (guix cve) ) 0 - "CVE-2015-1234" - (list (cons (package-name package) - (package-version package))))))) + (list (make-struct/no-tail (@@ (guix cve) ) + "CVE-2015-1234" + (list (cons (package-name package) + (package-version package))))))) (check-vulnerabilities (dummy-package "pi" (version "3.14") (source (dummy-origin)) -- cgit 1.4.1 From 74afaa37d5dec1a9d1b83951529ba69d8947fb07 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 20 Oct 2019 22:10:00 +0200 Subject: cve: Rewrite to read the JSON feed instead of the XML feed. The XML feed was discontinued on Oct. 16th, 2019: * guix/cve.scm (string->date*): New procedure. (, , ): New record types. (cpe-match->cve-configuration, configuration-data->cve-configurations) (json->cve-items, version-matches?): New procedures. (yearly-feed-uri): Change URL to refer to JSON feed. (cpe->product-alist, %parse-vulnerability-feed) (xml->vulnerabilities): Remove. (cve-configuration->package-list, merge-package-lists) (cve-item->vulnerability, json->vulnerabilities): New procedures. (write-cache): Use 'json->vulnerabilities' instead of 'xml->vulnerabilities', and remove 'parameterize'. (vulnerabilities->lookup-proc): Use 'version-matches?' when VERSION is true. * tests/cve.scm (%sample): Use 'tests/cve-sample.json'. (%expected-vulnerabilities): Rewrite accordingly. ("json->cve-items", "cve-item-published-date") ("json->vulnerabilities"): New tests. ("xml->vulnerabilities"): Remove. ("vulnerabilities->lookup-proc"): Adjust to new vulnerabilities. * tests/cve-sample.json: New file. * tests/cve-sample.xml: Remove. * Makefile.am (EXTRA_DIST): Adjust accordingly. * doc/guix.texi (Invoking guix lint): Update nist.gov URLs. --- Makefile.am | 2 +- doc/guix.texi | 4 +- guix/cve.scm | 376 ++++++++++----- tests/cve-sample.json | 1279 +++++++++++++++++++++++++++++++++++++++++++++++++ tests/cve-sample.xml | 616 ------------------------ tests/cve.scm | 83 +++- 6 files changed, 1605 insertions(+), 755 deletions(-) create mode 100644 tests/cve-sample.json delete mode 100644 tests/cve-sample.xml (limited to 'tests') diff --git a/Makefile.am b/Makefile.am index 36767c2f47..b1f33946c5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -564,7 +564,7 @@ EXTRA_DIST += \ tests/test.drv \ tests/signing-key.pub \ tests/signing-key.sec \ - tests/cve-sample.xml \ + tests/cve-sample.json \ build-aux/config.rpath \ bootstrap \ doc/build.scm \ diff --git a/doc/guix.texi b/doc/guix.texi index cb004d034d..746561ed97 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -9484,7 +9484,7 @@ that limit has been reset. @cindex CVE, Common Vulnerabilities and Exposures Report known vulnerabilities found in the Common Vulnerabilities and Exposures (CVE) databases of the current and past year -@uref{https://nvd.nist.gov/download.cfm#CVE_FEED, published by the US +@uref{https://nvd.nist.gov/vuln/data-feeds, published by the US NIST}. To view information about a particular vulnerability, visit pages such as: @@ -9501,7 +9501,7 @@ where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g., @code{CVE-2015-7554}. Package developers can specify in package recipes the -@uref{https://nvd.nist.gov/cpe.cfm,Common Platform Enumeration (CPE)} +@uref{https://nvd.nist.gov/products/cpe,Common Platform Enumeration (CPE)} name and version of the package when they differ from the name or version that Guix uses, as in this example: diff --git a/guix/cve.scm b/guix/cve.scm index 99754fa1f6..903d94a8a6 100644 --- a/guix/cve.scm +++ b/guix/cve.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2015, 2016, 2017, 2018 Ludovic Courtès +;;; Copyright © 2015, 2016, 2017, 2018, 2019 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -19,21 +19,43 @@ (define-module (guix cve) #:use-module (guix utils) #:use-module (guix http-client) - #:use-module (sxml ssax) + #:use-module (guix json) + #:use-module (guix i18n) + #:use-module (json) #:use-module (web uri) #:use-module (srfi srfi-1) #:use-module (srfi srfi-9) #:use-module (srfi srfi-11) #:use-module (srfi srfi-19) #:use-module (srfi srfi-26) + #:use-module (srfi srfi-34) + #:use-module (srfi srfi-35) #:use-module (ice-9 match) #:use-module (ice-9 regex) #:use-module (ice-9 vlist) - #:export (vulnerability? + #:export (json->cve-items + + cve-item? + cve-item-cve + cve-item-configurations + cve-item-published-date + cve-item-last-modified-date + + cve? + cve-id + cve-data-type + cve-data-format + cvs-references + + cve-reference? + cve-reference-url + cve-reference-tags + + vulnerability? vulnerability-id vulnerability-packages - xml->vulnerabilities + json->vulnerabilities current-vulnerabilities vulnerabilities->lookup-proc)) @@ -41,15 +63,174 @@ ;;; ;;; This modules provides the tools to fetch, parse, and digest part of the ;;; Common Vulnerabilities and Exposures (CVE) feeds provided by the US NIST -;;; at . +;;; at . ;;; ;;; Code: -(define-record-type - (vulnerability id packages) - vulnerability? - (id vulnerability-id) ;string - (packages vulnerability-packages)) ;((p1 v1 v2 v3) (p2 v1) ...) +(define (string->date* str) + (string->date str "~Y-~m-~dT~H:~M~z")) + +(define-json-mapping cve-item cve-item? + json->cve-item + (cve cve-item-cve "cve" json->cve) ; + (configurations cve-item-configurations ;list of sexps + "configurations" configuration-data->cve-configurations) + (published-date cve-item-published-date + "publishedDate" string->date*) + (last-modified-date cve-item-last-modified-date + "lastModifiedDate" string->date*)) + +(define-json-mapping cve cve? + json->cve + (id cve-id "CVE_data_meta" ;string + (cut assoc-ref <> "ID")) + (data-type cve-data-type ;'CVE + "data_type" string->symbol) + (data-format cve-data-format ;'MITRE + "data_format" string->symbol) + (references cve-item-references ;list of + "references" reference-data->cve-references)) + +(define-json-mapping cve-reference cve-reference? + json->cve-reference + (url cve-reference-url) ;string + (tags cve-reference-tags ;list of strings + "tags" vector->list)) + +(define (reference-data->cve-references alist) + (map json->cve-reference + (vector->list (assoc-ref alist "reference_data")))) + +(define %cpe-package-rx + ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes + ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL". + (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):")) + +(define (cpe->package-name cpe) + "Converts the Common Platform Enumeration (CPE) string CPE to a package +name, in a very naive way. Return two values: the package name, and its +version string. Return #f and #f if CPE does not look like an application CPE +string." + (cond ((regexp-exec %cpe-package-rx cpe) + => + (lambda (matches) + (values (match:substring matches 2) + (match (match:substring matches 3) + ("*" '_) + (version + (string-append version + (match (match:substring matches 4) + ("" "") + (patch-level + ;; Drop the colon from things like + ;; "cpe:2.3:a:openbsd:openssh:6.8:p1". + (string-drop patch-level 1))))))))) + (else + (values #f #f)))) + +(define (cpe-match->cve-configuration alist) + "Convert ALIST, a \"cpe_match\" alist, into an sexp representing the package +and versions matched. Return #f if ALIST doesn't correspond to an application +package." + (let ((cpe (assoc-ref alist "cpe23Uri")) + (starti (assoc-ref alist "versionStartIncluding")) + (starte (assoc-ref alist "versionStartExcluding")) + (endi (assoc-ref alist "versionEndIncluding")) + (ende (assoc-ref alist "versionEndExcluding"))) + (let-values (((package version) (cpe->package-name cpe))) + (and package + `(,package + ,(cond ((and (or starti starte) (or endi ende)) + `(and ,(if starti `(>= ,starti) `(> ,starte)) + ,(if endi `(<= ,endi) `(< ,ende)))) + (starti `(>= ,starti)) + (starte `(> ,starte)) + (endi `(<= ,endi)) + (ende `(< ,ende)) + (else version))))))) + +(define (configuration-data->cve-configurations alist) + "Given ALIST, a JSON dictionary for the baroque \"configurations\" +element found in CVEs, return an sexp such as (\"binutils\" (< +\"2.31\")) that represents matching configurations." + (define string->operator + (match-lambda + ("OR" 'or) + ("AND" 'and))) + + (define (node->configuration node) + (let ((operator (string->operator (assoc-ref node "operator")))) + (cond + ((assoc-ref node "cpe_match") + => + (lambda (matches) + (let ((matches (vector->list matches))) + (match (filter-map cpe-match->cve-configuration + matches) + (() #f) + ((one) one) + (lst (cons operator lst)))))) + ((assoc-ref node "children") ;typically for 'and' + => + (lambda (children) + (match (filter-map node->configuration (vector->list children)) + (() #f) + ((one) one) + (lst (cons operator lst))))) + (else + #f)))) + + (let ((nodes (vector->list (assoc-ref alist "nodes")))) + (filter-map node->configuration nodes))) + +(define (json->cve-items json) + "Parse JSON, an input port or a string, and return a list of +records." + (let* ((alist (json->scm json)) + (type (assoc-ref alist "CVE_data_type")) + (format (assoc-ref alist "CVE_data_format")) + (version (assoc-ref alist "CVE_data_version"))) + (unless (equal? type "CVE") + (raise (condition (&message + (message "invalid CVE feed"))))) + (unless (equal? format "MITRE") + (raise (condition + (&message + (message (format #f (G_ "unsupported CVE format: '~a'") + format)))))) + (unless (equal? version "4.0") + (raise (condition + (&message + (message (format #f (G_ "unsupported CVE data version: '~a'") + version)))))) + + (map json->cve-item + (vector->list (assoc-ref alist "CVE_Items"))))) + +(define (version-matches? version sexp) + "Return true if VERSION, a string, matches SEXP." + (match sexp + ('_ + #t) + ((? string? expected) + (version-prefix? expected version)) + (('or sexps ...) + (any (cut version-matches? version <>) sexps)) + (('and sexps ...) + (every (cut version-matches? version <>) sexps)) + (('< max) + (version>? max version)) + (('<= max) + (version>=? max version)) + (('> min) + (version>? version min)) + (('>= min) + (version>=? version min)))) + + +;;; +;;; High-level interface. +;;; (define %now (current-date)) @@ -61,8 +242,8 @@ (define (yearly-feed-uri year) "Return the URI for the CVE feed for YEAR." (string->uri - (string-append "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-" - (number->string year) ".xml.gz"))) + (string-append "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-" + (number->string year) ".json.gz"))) (define %current-year-ttl ;; According to , feeds are @@ -73,102 +254,11 @@ ;; Update the previous year's database more and more infrequently. (* 3600 24 (date-month %now))) -(define %cpe-package-rx - ;; For applications: "cpe:/a:VENDOR:PACKAGE:VERSION", or sometimes - ;; "cpe/a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL". - (make-regexp "^cpe:/a:([^:]+):([^:]+):([^:]+)((:.+)?)")) - -(define (cpe->package-name cpe) - "Converts the Common Platform Enumeration (CPE) string CPE to a package -name, in a very naive way. Return two values: the package name, and its -version string. Return #f and #f if CPE does not look like an application CPE -string." - (cond ((regexp-exec %cpe-package-rx (string-trim-both cpe)) - => - (lambda (matches) - (values (match:substring matches 2) - (string-append (match:substring matches 3) - (match (match:substring matches 4) - ("" "") - (patch-level - ;; Drop the colon from things like - ;; "cpe:/a:openbsd:openssh:6.8:p1". - (string-drop patch-level 1))))))) - (else - (values #f #f)))) - -(define (cpe->product-alist products) - "Given PRODUCTS, a list of CPE names, return the subset limited to the -applications listed in PRODUCTS, with names converted to package names: - - (cpe->product-alist - '(\"cpe:/a:gnu:libtasn1:4.7\" \"cpe:/a:gnu:libtasn1:4.6\" \"cpe:/a:gnu:cpio:2.11\")) - => ((\"libtasn1\" \"4.7\" \"4.6\") (\"cpio\" \"2.11\")) -" - (fold (lambda (product result) - (let-values (((name version) (cpe->package-name product))) - (if name - (match result - (((previous . versions) . tail) - ;; Attempt to coalesce NAME and PREVIOUS. - (if (string=? name previous) - (alist-cons name (cons version versions) tail) - (alist-cons name (list version) result))) - (() - (alist-cons name (list version) result))) - result))) - '() - (sort products string and return a list of - ;; vulnerability objects. - (ssax:make-parser NEW-LEVEL-SEED - (lambda (elem-gi attributes namespaces expected-content - seed) - (match elem-gi - ((name-space . 'entry) - (cons (assoc-ref attributes 'id) seed)) - ((name-space . 'vulnerable-software-list) - (cons '() seed)) - ((name-space . 'product) - (cons 'product seed)) - (x seed))) - - FINISH-ELEMENT - (lambda (elem-gi attributes namespaces parent-seed - seed) - (match elem-gi - ((name-space . 'entry) - (match seed - (((? string? id) . rest) - ;; Some entries have no vulnerable-software-list. - rest) - ((products id . rest) - (match (cpe->product-alist products) - (() - ;; No application among PRODUCTS. - rest) - (packages - (cons (vulnerability id packages) - rest)))))) - (x - seed))) - - CHAR-DATA-HANDLER - (lambda (str _ seed) - (match seed - (('product software-list . rest) - ;; Add STR to the vulnerable software list this - ;; tag is part of. - (cons (cons str software-list) rest)) - (x x))))) - -(define (xml->vulnerabilities port) - "Read from PORT an XML feed of vulnerabilities and return a list of -vulnerability objects." - (reverse (%parse-vulnerability-feed port '()))) +(define-record-type + (vulnerability id packages) + vulnerability? + (id vulnerability-id) ;string + (packages vulnerability-packages)) ;((p1 sexp1) (p2 sexp2) ...) (define vulnerability->sexp (match-lambda @@ -180,16 +270,70 @@ vulnerability objects." (('v id (packages ...)) (vulnerability id packages)))) +(define (cve-configuration->package-list config) + "Parse CONFIG, a config sexp, and return a list of the form (P SEXP) +where P is a package name and SEXP expresses constraints on the matching +versions." + (let loop ((config config) + (packages '())) + (match config + (('or configs ...) + (fold loop packages configs)) + (('and config _ ...) ;XXX + (loop config packages)) + (((? string? package) '_) ;any version + (cons `(,package _) + (alist-delete package packages))) + (((? string? package) sexp) + (let ((previous (assoc-ref packages package))) + (if previous + (cons `(,package (or ,sexp ,@previous)) + (alist-delete package packages)) + (cons `(,package ,sexp) packages))))))) + +(define (merge-package-lists lst) + "Merge the list in LST, each of which has the form (p sexp), where P +is the name of a package and SEXP is an sexp that constrains matching +versions." + (fold (lambda (plist result) ;XXX: quadratic + (fold (match-lambda* + (((package version) result) + (match (assoc-ref result package) + (#f + (cons `(,package ,version) result)) + ((previous) + (cons `(,package (or ,version ,previous)) + (alist-delete package result)))))) + result + plist)) + '() + lst)) + +(define (cve-item->vulnerability item) + "Return a corresponding to ITEM, a record; +return #f if ITEM does not list any configuration or if it does not list +any \"a\" (application) configuration." + (let ((id (cve-id (cve-item-cve item)))) + (match (cve-item-configurations item) + (() ;no configurations + #f) + ((configs ...) + (vulnerability id + (merge-package-lists + (map cve-configuration->package-list configs))))))) + +(define (json->vulnerabilities json) + "Parse JSON, an input port or a string, and return the list of +vulnerabilities found therein." + (filter-map cve-item->vulnerability (json->cve-items json))) + (define (write-cache input cache) - "Read vulnerabilities as gzipped XML from INPUT, and write it as a compact + "Read vulnerabilities as gzipped JSON from INPUT, and write it as a compact sexp to CACHE." (call-with-decompressed-port 'gzip input (lambda (input) - ;; XXX: The SSAX "error port" is used to send pointless warnings such as - ;; "warning: Skipping PI". Turn that off. (define vulns - (parameterize ((current-ssax-error-port (%make-void-port "w"))) - (xml->vulnerabilities input))) + (json->vulnerabilities input)) (write `(vulnerabilities 1 ;format version @@ -215,7 +359,7 @@ the given TTL (fetch from the NIST web site when TTL has expired)." (lambda () (read-options options))))) - ;; Note: We used to keep the original XML files in cache but parsing it + ;; Note: We used to keep the original JSON files in cache but parsing it ;; would take typically ~15s for a year of data. Thus, we instead store a ;; summarized version thereof as an sexp, which can be parsed in 1s or so. (let* ((port (http-fetch/cached (yearly-feed-uri year) @@ -269,8 +413,8 @@ vulnerabilities affecting the given package version." (vhash-fold* (if version (lambda (pair result) (match pair - ((vuln . versions) - (if (member version versions) + ((vuln sexp) + (if (version-matches? version sexp) (cons vuln result) result)))) (lambda (pair result) diff --git a/tests/cve-sample.json b/tests/cve-sample.json new file mode 100644 index 0000000000..39816f9dd4 --- /dev/null +++ b/tests/cve-sample.json @@ -0,0 +1,1279 @@ +{ + "CVE_data_type" : "CVE", + "CVE_data_format" : "MITRE", + "CVE_data_version" : "4.0", + "CVE_data_numberOfCVEs" : "9826", + "CVE_data_timestamp" : "2019-10-17T07:00Z", + "CVE_Items" : [ { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-0001", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-400" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.securityfocus.com/bid/106541", + "name" : "106541", + "refsource" : "BID", + "tags" : [ "Third Party Advisory", "VDB Entry" ] + }, { + "url" : "https://kb.juniper.net/JSA10900", + "name" : "https://kb.juniper.net/JSA10900", + "refsource" : "CONFIRM", + "tags" : [ "Vendor Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "Receipt of a malformed packet on MX Series devices with dynamic vlan configuration can trigger an uncontrolled recursion loop in the Broadband Edge subscriber management daemon (bbe-smgd), and lead to high CPU usage and a crash of the bbe-smgd service. Repeated receipt of the same packet can result in an extended denial of service condition for the device. Affected releases are Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S1; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R3; 17.3 versions prior to 17.3R3-S1; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R3; 18.2 versions prior to 18.2R2." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:*:*:*:*:*:*:*" + } ] + } { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.2:*:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:r2:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.2:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.2:r1-s3:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.2:r1-s4:*:*:*:*:*:*" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "attackVector" : "NETWORK", + "attackComplexity" : "HIGH", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseScore" : 5.9, + "baseSeverity" : "MEDIUM" + }, + "exploitabilityScore" : 2.2, + "impactScore" : 3.6 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authentication" : "NONE", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "COMPLETE", + "baseScore" : 7.1 + }, + "severity" : "HIGH", + "exploitabilityScore" : 8.6, + "impactScore" : 6.9, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : false + } + }, + "publishedDate" : "2019-01-15T21:29Z", + "lastModifiedDate" : "2019-10-09T23:43Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-0005", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-400" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.securityfocus.com/bid/106665", + "name" : "106665", + "refsource" : "BID", + "tags" : [ "Third Party Advisory" ] + }, { + "url" : "https://kb.juniper.net/JSA10905", + "name" : "https://kb.juniper.net/JSA10905", + "refsource" : "CONFIRM", + "tags" : [ "Vendor Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "On EX2300, EX3400, EX4600, QFX3K and QFX5K series, firewall filter configuration cannot perform packet matching on any IPv6 extension headers. This issue may allow IPv6 packets that should have been blocked to be forwarded. IPv4 packet filtering is unaffected by this vulnerability. Affected releases are Juniper Networks Junos OS on EX and QFX series;: 14.1X53 versions prior to 14.1X53-D47; 15.1 versions prior to 15.1R7; 15.1X53 versions prior to 15.1X53-D234 on QFX5200/QFX5110 series; 15.1X53 versions prior to 15.1X53-D591 on EX2300/EX3400 series; 16.1 versions prior to 16.1R7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R3; 17.3 versions prior to 17.3R3; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R2." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d10:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d15:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d16:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d25:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d26:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d27:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d30:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d35:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d40:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d42:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d43:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d44:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d45:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d46:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r2:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r3:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r4:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r5:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r6:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d20:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d21:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d30:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d32:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d33:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d34:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d50:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d51:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d52:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d20:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d21:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d210:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d230:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d234:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d30:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d32:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d33:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d34:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d50:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d51:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d52:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d55:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d57:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d58:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d59:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d590:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r2:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r3:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r3-s10:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r4:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r5:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r6:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r6-s6:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r7:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:r1:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.2:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.2:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.2:r1-s7:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.2:r2:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.3:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.3:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.3:r2:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:gfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.4:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.4:r1:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.1:r1:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "LOW", + "availabilityImpact" : "NONE", + "baseScore" : 5.3, + "baseSeverity" : "MEDIUM" + }, + "exploitabilityScore" : 3.9, + "impactScore" : 1.4 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authentication" : "NONE", + "confidentialityImpact" : "NONE", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "NONE", + "baseScore" : 5.0 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 10.0, + "impactScore" : 2.9, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : false + } + }, + "publishedDate" : "2019-01-15T21:29Z", + "lastModifiedDate" : "2019-02-14T18:40Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-14811", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-264" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html", + "name" : "openSUSE-SU-2019:2223", + "refsource" : "SUSE", + "tags" : [ ] + }, { + "url" : "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html", + "name" : "openSUSE-SU-2019:2222", + "refsource" : "SUSE", + "tags" : [ ] + }, { + "url" : "https://access.redhat.com/errata/RHBA-2019:2824", + "name" : "RHBA-2019:2824", + "refsource" : "REDHAT", + "tags" : [ ] + }, { + "url" : "https://access.redhat.com/errata/RHSA-2019:2594", + "name" : "RHSA-2019:2594", + "refsource" : "REDHAT", + "tags" : [ ] + }, { + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14811", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14811", + "refsource" : "CONFIRM", + "tags" : [ "Exploit", "Issue Tracking", "Mitigation", "Patch", "Third Party Advisory" ] + }, { + "url" : "https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html", + "name" : "[debian-lts-announce] 20190909 [SECURITY] [DLA 1915-1] ghostscript security update", + "refsource" : "MLIST", + "tags" : [ ] + }, { + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/", + "name" : "FEDORA-2019-ebd6c4f15a", + "refsource" : "FEDORA", + "tags" : [ ] + }, { + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/", + "name" : "FEDORA-2019-0a9d525d71", + "refsource" : "FEDORA", + "tags" : [ ] + }, { + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/", + "name" : "FEDORA-2019-953fc0f16d", + "refsource" : "FEDORA", + "tags" : [ ] + }, { + "url" : "https://seclists.org/bugtraq/2019/Sep/15", + "name" : "20190910 [SECURITY] [DSA 4518-1] ghostscript security update", + "refsource" : "BUGTRAQ", + "tags" : [ ] + }, { + "url" : "https://www.debian.org/security/2019/dsa-4518", + "name" : "DSA-4518", + "refsource" : "DEBIAN", + "tags" : [ ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:artifex:ghostscript:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "9.28" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseScore" : 7.8, + "baseSeverity" : "HIGH" + }, + "exploitabilityScore" : 1.8, + "impactScore" : 5.9 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authentication" : "NONE", + "confidentialityImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "baseScore" : 6.8 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 8.6, + "impactScore" : 6.4, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : true + } + }, + "publishedDate" : "2019-09-03T16:15Z", + "lastModifiedDate" : "2019-09-10T03:15Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-17365", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-276" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.openwall.com/lists/oss-security/2019/10/09/4", + "name" : "http://www.openwall.com/lists/oss-security/2019/10/09/4", + "refsource" : "MISC", + "tags" : [ "Exploit", "Mailing List", "Third Party Advisory" ] + }, { + "url" : "http://www.openwall.com/lists/oss-security/2019/10/10/1", + "name" : "[oss-security] 20191010 Re: CVE-2019-17365: Nix per-user profile directory hijack", + "refsource" : "MLIST", + "tags" : [ "Third Party Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "Nix through 2.3 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*", + "versionEndIncluding" : "2.3" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.1", + "vectorString" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "LOW", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseScore" : 7.8, + "baseSeverity" : "HIGH" + }, + "exploitabilityScore" : 1.8, + "impactScore" : 5.9 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:L/AC:L/Au:N/C:P/I:P/A:P", + "accessVector" : "LOCAL", + "accessComplexity" : "LOW", + "authentication" : "NONE", + "confidentialityImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "baseScore" : 4.6 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 3.9, + "impactScore" : 6.4, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : false + } + }, + "publishedDate" : "2019-10-09T22:15Z", + "lastModifiedDate" : "2019-10-11T13:19Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-1010180", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-119" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.securityfocus.com/bid/109367", + "name" : "109367", + "refsource" : "BID", + "tags" : [ "Third Party Advisory", "VDB Entry" ] + }, { + "url" : "https://sourceware.org/bugzilla/show_bug.cgi?id=23657", + "name" : "https://sourceware.org/bugzilla/show_bug.cgi?id=23657", + "refsource" : "MISC", + "tags" : [ "Exploit", "Issue Tracking", "Third Party Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "GNU gdb All versions is affected by: Buffer Overflow - Out of bound memory access. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution. The component is: The main gdb module. The attack vector is: Open an ELF for debugging. The fixed version is: Not fixed yet." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:gnu:gdb:*:*:*:*:*:*:*:*" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseScore" : 7.8, + "baseSeverity" : "HIGH" + }, + "exploitabilityScore" : 1.8, + "impactScore" : 5.9 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authentication" : "NONE", + "confidentialityImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "baseScore" : 6.8 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 8.6, + "impactScore" : 6.4, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : true + } + }, + "publishedDate" : "2019-07-24T13:15Z", + "lastModifiedDate" : "2019-08-01T15:39Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-1010204", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-125" + }, { + "lang" : "en", + "value" : "CWE-20" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "https://security.netapp.com/advisory/ntap-20190822-0001/", + "name" : "https://security.netapp.com/advisory/ntap-20190822-0001/", + "refsource" : "CONFIRM", + "tags" : [ ] + }, { + "url" : "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "name" : "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "refsource" : "MISC", + "tags" : [ "Issue Tracking", "Third Party Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:gnu:binutils:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "2.21", + "versionEndIncluding" : "2.31.1" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:gnu:binutils_gold:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "1.11", + "versionEndIncluding" : "1.16" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseScore" : 5.5, + "baseSeverity" : "MEDIUM" + }, + "exploitabilityScore" : 1.8, + "impactScore" : 3.6 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authentication" : "NONE", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "PARTIAL", + "baseScore" : 4.3 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 8.6, + "impactScore" : 2.9, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : true + } + }, + "publishedDate" : "2019-07-23T14:15Z", + "lastModifiedDate" : "2019-08-22T07:15Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-18192", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.openwall.com/lists/oss-security/2019/10/17/3", + "name" : "[oss-security] 20191017 CVE-2019-18192: Insecure permissions on Guix profile directory", + "refsource" : "MLIST", + "tags" : [ ] + }, { + "url" : "https://issues.guix.gnu.org/issue/37744", + "name" : "https://issues.guix.gnu.org/issue/37744", + "refsource" : "MISC", + "tags" : [ ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "GNU Guix 1.0.1 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable, a similar issue to CVE-2019-17365." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ ] + }, + "impact" : { }, + "publishedDate" : "2019-10-17T20:15Z", + "lastModifiedDate" : "2019-10-17T20:29Z" + } ] +} diff --git a/tests/cve-sample.xml b/tests/cve-sample.xml deleted file mode 100644 index ce158490f1..0000000000 --- a/tests/cve-sample.xml +++ /dev/null @@ -1,616 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - cpe:/o:microsoft:windows_2000::sp2:professional - cpe:/o:linux:linux_kernel:2.4.4 - cpe:/o:microsoft:windows_2000_terminal_services::sp1 - cpe:/o:microsoft:windows_2000::sp1:advanced_server - cpe:/o:linux:linux_kernel:2.4.19 - cpe:/o:microsoft:windows_2000::sp2:advanced_server - cpe:/o:microsoft:windows_2000_terminal_services - cpe:/o:microsoft:windows_2000:::advanced_server - cpe:/o:linux:linux_kernel:2.4.20 - cpe:/o:netbsd:netbsd:1.5.1 - cpe:/o:microsoft:windows_2000_terminal_services::sp2 - cpe:/o:netbsd:netbsd:1.5.3 - cpe:/o:netbsd:netbsd:1.5.2 - cpe:/o:linux:linux_kernel:2.4.6 - cpe:/o:linux:linux_kernel:2.4.9 - cpe:/o:microsoft:windows_2000:::datacenter_server - cpe:/o:netbsd:netbsd:1.6 - cpe:/o:netbsd:netbsd:1.5 - cpe:/o:linux:linux_kernel:2.4.7 - cpe:/o:linux:linux_kernel:2.4.8 - cpe:/o:microsoft:windows_2000::sp1:datacenter_server - cpe:/o:microsoft:windows_2000::sp2:datacenter_server - cpe:/o:freebsd:freebsd:4.3 - cpe:/o:linux:linux_kernel:2.4.10 - cpe:/o:microsoft:windows_2000::sp1:server - cpe:/o:freebsd:freebsd:4.5 - cpe:/o:linux:linux_kernel:2.4.12 - cpe:/o:freebsd:freebsd:4.2 - cpe:/o:freebsd:freebsd:4.7 - cpe:/o:freebsd:freebsd:4.4 - cpe:/o:freebsd:freebsd:4.6 - cpe:/o:microsoft:windows_2000::sp2:server - cpe:/o:linux:linux_kernel:2.4.18 - cpe:/o:linux:linux_kernel:2.4.1 - cpe:/o:linux:linux_kernel:2.4.15 - cpe:/o:microsoft:windows_2000:::server - cpe:/o:linux:linux_kernel:2.4.17 - cpe:/o:linux:linux_kernel:2.4.14 - cpe:/o:linux:linux_kernel:2.4.2 - cpe:/o:microsoft:windows_2000:::professional - cpe:/o:linux:linux_kernel:2.4.11 - cpe:/o:linux:linux_kernel:2.4.5 - cpe:/o:linux:linux_kernel:2.4.16 - cpe:/o:microsoft:windows_2000::sp1:professional - cpe:/o:linux:linux_kernel:2.4.13 - cpe:/o:linux:linux_kernel:2.4.3 - - CVE-2003-0001 - 2003-01-17T00:00:00.000-05:00 - 2015-11-24T13:05:47.073-05:00 - - - 5.0 - NETWORK - LOW - NONE - PARTIAL - NONE - NONE - http://nvd.nist.gov - 2015-11-24T12:23:33.593-05:00 - - - - - - CERT-VN - VU#412115 - - - BUGTRAQ - 20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE - - - BUGTRAQ - 20030117 Re: More information regarding Etherleak - - - BUGTRAQ - 20030106 Etherleak: Ethernet frame padding information leakage (A010603-1) - - - REDHAT - RHSA-2003:088 - - - REDHAT - RHSA-2003:025 - - - OSVDB - 9962 - - - CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - - - MISC - http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf - - - ATSTAKE - A010603-1 - - - FULLDISC - 20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE - - - MISC - http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html - - - BUGTRAQ - 20030110 More information regarding Etherleak - - - VULNWATCH - 20030110 More information regarding Etherleak - - - - - Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. - - - - - - - - - cpe:/a:tcp:tcp - - CVE-2004-0230 - 2004-08-18T00:00:00.000-04:00 - 2015-11-24T13:06:40.597-05:00 - - - 5.0 - NETWORK - LOW - NONE - NONE - NONE - PARTIAL - http://nvd.nist.gov - 2015-11-24T12:17:30.930-05:00 - - - - - - - - - CERT - TA04-111A - - - CERT-VN - VU#415294 - - - CONFIRM - https://kc.mcafee.com/corporate/index?page=content&id=SB10053 - - - XF - tcp-rst-dos(15886) - - - VUPEN - ADV-2006-3983 - - - MISC - http://www.uniras.gov.uk/vuls/2004/236929/index.htm - - - BID - 10183 - - - BUGTRAQ - 20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE - - - HP - SSRT061264 - - - OSVDB - 4030 - - - CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - - - MS - MS06-064 - - - MS - MS05-019 - - - CISCO - 20040420 TCP Vulnerabilities in Multiple IOS-Based Cisco Products - - - FULLDISC - 20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE - - - MISC - http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html - - - HP - SSRT4696 - - - BUGTRAQ - 20040425 Perl code exploting TCP not checking RST ACK. - - - CONFIRM - http://kb.juniper.net/JSA10638 - - - SGI - 20040403-01-A - - - SCO - SCOSA-2005.14 - - - SCO - SCOSA-2005.9 - - - SCO - SCOSA-2005.3 - - - NETBSD - NetBSD-SA2004-006 - - - - - - - - - - - - - - - - - TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP. - - - - - - - - - - cpe:/a:vastal:phpvid:1.1 - cpe:/a:vastal:phpvid:1.2 - - CVE-2008-2335 - 2008-05-19T09:20:00.000-04:00 - 2015-11-24T11:45:25.057-05:00 - - - 4.3 - NETWORK - MEDIUM - NONE - NONE - PARTIAL - NONE - http://nvd.nist.gov - 2015-11-24T10:50:05.737-05:00 - - - - - XF - phpvid-query-xss(42450) - - - VUPEN - ADV-2008-2552 - - - BID - 29238 - - - MILW0RM - 6422 - - - EXPLOIT-DB - 27519 - - - MISC - http://tetraph.com/security/xss-vulnerability/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/ - - - FULLDISC - 20150310 Vastal I-tech phpVID 1.2.3 Multiple XSS (Cross-site Scripting) Security Vulnerabilities - - - MISC - http://packetstormsecurity.com/files/130755/Vastal-I-tech-phpVID-1.2.3-Cross-Site-Scripting.html - - - MISC - http://packetstormsecurity.com/files/122746/PHP-VID-XSS-SQL-Injection-CRLF-Injection.html - - - OSVDB - 45171 - - - MISC - http://holisticinfosec.org/content/view/65/45/ - - Cross-site scripting (XSS) vulnerability in search_results.php in Vastal I-Tech phpVID 1.1 and 1.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: some of these details are obtained from third party information. NOTE: it was later reported that 1.2.3 is also affected. - - - - - - - - - - - - - - cpe:/a:redhat:enterprise_virtualization:3.5 - cpe:/a:jasper_project:jasper:1.900.1 - - CVE-2008-3522 - 2008-10-02T14:18:05.790-04:00 - 2015-11-24T11:46:04.933-05:00 - - - 10.0 - NETWORK - LOW - NONE - COMPLETE - COMPLETE - COMPLETE - http://nvd.nist.gov - 2015-11-24T10:05:46.467-05:00 - - - ALLOWS_ADMIN_ACCESS - - - XF - jasper-jasstreamprintf-bo(45623) - - - UBUNTU - USN-742-1 - - - BID - 31470 - - - MANDRIVA - MDVSA-2009:164 - - - MANDRIVA - MDVSA-2009:144 - - - MANDRIVA - MDVSA-2009:142 - - - GENTOO - GLSA-200812-18 - - - REDHAT - RHSA-2015:0698 - - - MISC - http://bugs.gentoo.org/show_bug.cgi?id=222819 - - - MISC - http://bugs.gentoo.org/attachment.cgi?id=163282&action=view - - Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - cpe:/o:canonical:ubuntu_linux:10.04::~~lts~~~ - cpe:/o:canonical:ubuntu_linux:8.04:-:lts - cpe:/o:canonical:ubuntu_linux:10.10 - cpe:/a:sun:openoffice.org:2.1.0 - cpe:/a:sun:openoffice.org:2.3.0 - cpe:/a:sun:openoffice.org:2.2.1 - - - CVE-2009-3301 - 2010-02-16T14:30:00.533-05:00 - 2015-11-17T10:59:44.723-05:00 - - - 9.3 - NETWORK - MEDIUM - NONE - COMPLETE - COMPLETE - COMPLETE - http://nvd.nist.gov - 2015-11-17T10:02:50.097-05:00 - - - - - - CERT - TA10-287A - - - CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=533038 - - - XF - openoffice-word-sprmtdeftable-bo(56240) - - - VUPEN - ADV-2010-2905 - - - VUPEN - ADV-2010-0635 - - - VUPEN - ADV-2010-0366 - - - UBUNTU - USN-903-1 - - - BID - 38218 - - - REDHAT - RHSA-2010:0101 - - - CONFIRM - http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html - - - CONFIRM - http://www.openoffice.org/security/cves/CVE-2009-3301-3302.html - - - CONFIRM - http://www.openoffice.org/security/bulletin.html - - - MANDRIVA - MDVSA-2010:221 - - - GENTOO - GLSA-201408-19 - - - DEBIAN - DSA-1995 - - - SECTRACK - 1023591 - - - SUSE - SUSE-SA:2010:017 - - - - - Integer underflow in filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTDefTable table property modifier in a Word document. - - - CVE-2015-8330 - 2015-11-24T15:59:25.897-05:00 - 2015-11-24T15:59:26.930-05:00 - - MISC - https://www.onapsis.com/blog/analyzing-sap-security-notes-november-2015 - - - MISC - http://erpscan.com/advisories/erpscan-15-032-sap-pco-agent-dos-vulnerability/ - - The PCo agent in SAP Plant Connectivity (PCo) allows remote attackers to cause a denial of service (memory corruption and agent crash) via crafted xMII requests, aka SAP Security Note 2238619. - - diff --git a/tests/cve.scm b/tests/cve.scm index e95b21c073..b69da0e120 100644 --- a/tests/cve.scm +++ b/tests/cve.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2015, 2016 Ludovic Courtès +;;; Copyright © 2015, 2016, 2019 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -19,10 +19,11 @@ (define-module (test-cve) #:use-module (guix cve) #:use-module (srfi srfi-1) + #:use-module (srfi srfi-19) #:use-module (srfi srfi-64)) (define %sample - (search-path %load-path "tests/cve-sample.xml")) + (search-path %load-path "tests/cve-sample.json")) (define (vulnerability id packages) (make-struct/no-tail (@@ (guix cve) ) id packages)) @@ -30,34 +31,76 @@ (define %expected-vulnerabilities ;; What we should get when reading %SAMPLE. (list - ;; CVE-2003-0001 has no "/a" in its product list so it is omitted. - ;; CVE-2004-0230 lists "tcp" as an application, but lacks a version number. - (vulnerability "CVE-2008-2335" '(("phpvid" "1.2" "1.1"))) - (vulnerability "CVE-2008-3522" '(("enterprise_virtualization" "3.5") - ("jasper" "1.900.1"))) - (vulnerability "CVE-2009-3301" '(("openoffice.org" "2.3.0" "2.2.1" "2.1.0"))) - ;; CVE-2015-8330 has no software list. + (vulnerability "CVE-2019-0001" + ;; Only the "a" CPE configurations are kept; the "o" + ;; configurations are discarded. + '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2"))))) + (vulnerability "CVE-2019-0005" + '(("junos" (or "18.11" "18.1")))) + ;; CVE-2019-0005 has no "a" configurations. + (vulnerability "CVE-2019-14811" + '(("ghostscript" (< "9.28")))) + (vulnerability "CVE-2019-17365" + '(("nix" (<= "2.3")))) + (vulnerability "CVE-2019-1010180" + '(("gdb" _))) ;any version + (vulnerability "CVE-2019-1010204" + '(("binutils" (and (>= "2.21") (<= "2.31.1"))) + ("binutils_gold" (and (>= "1.11") (<= "1.16"))))) + ;; CVE-2019-18192 has no associated configurations. )) (test-begin "cve") -(test-equal "xml->vulnerabilities" +(test-equal "json->cve-items" + '("CVE-2019-0001" + "CVE-2019-0005" + "CVE-2019-14811" + "CVE-2019-17365" + "CVE-2019-1010180" + "CVE-2019-1010204" + "CVE-2019-18192") + (map (compose cve-id cve-item-cve) + (call-with-input-file %sample json->cve-items))) + +(test-equal "cve-item-published-date" + '(2019) + (delete-duplicates + (map (compose date-year cve-item-published-date) + (call-with-input-file %sample json->cve-items)))) + +(test-equal "json->vulnerabilities" %expected-vulnerabilities - (call-with-input-file %sample xml->vulnerabilities)) + (call-with-input-file %sample json->vulnerabilities)) (test-equal "vulnerabilities->lookup-proc" - (list (list (first %expected-vulnerabilities)) + (list (list (third %expected-vulnerabilities)) ;ghostscript + (list (third %expected-vulnerabilities)) + '() + + (list (fifth %expected-vulnerabilities)) ;gdb + (list (fifth %expected-vulnerabilities)) + + (list (fourth %expected-vulnerabilities)) ;nix '() + + (list (sixth %expected-vulnerabilities)) ;binutils '() - (list (second %expected-vulnerabilities)) - (list (third %expected-vulnerabilities))) - (let* ((vulns (call-with-input-file %sample xml->vulnerabilities)) + (list (sixth %expected-vulnerabilities)) + '()) + (let* ((vulns (call-with-input-file %sample json->vulnerabilities)) (lookup (vulnerabilities->lookup-proc vulns))) - (list (lookup "phpvid") - (lookup "jasper" "2.0") - (lookup "foobar") - (lookup "jasper" "1.900.1") - (lookup "openoffice.org" "2.3.0")))) + (list (lookup "ghostscript") + (lookup "ghostscript" "9.27") + (lookup "ghostscript" "9.28") + (lookup "gdb") + (lookup "gdb" "42.0") + (lookup "nix") + (lookup "nix" "2.4") + (lookup "binutils" "2.31.1") + (lookup "binutils" "2.10") + (lookup "binutils_gold" "1.11") + (lookup "binutils" "2.32")))) (test-end "cve") -- cgit 1.4.1 From 97bc3cbea5fc281a299c03eaaa3be5baf21ea673 Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Wed, 30 Oct 2019 17:46:17 -0400 Subject: services: ntp: Ensure no double quotes are output to config file. * gnu/services/networking.scm (ntp-server->string): Use the textual representation of the values as printed by 'display' rather than 'write', to avoid inserting double quotes in the generated config. * tests/networking.scm (%ntp-server-sample): Add a comment and make one of the options a string, to exercise the fix. ("ntp-server->string"): Move the expected value to the first argument. ("ntp configuration servers deprecated form"): Likewise. ("openntpd generated config string ends with a newline"): Likewise. --- gnu/services/networking.scm | 2 +- tests/networking.scm | 19 ++++++++++--------- 2 files changed, 11 insertions(+), 10 deletions(-) (limited to 'tests') diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 93d9b6a15e..841fbd741e 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -345,7 +345,7 @@ Protocol (DHCP) client, on all the non-loopback network interfaces." (res '())) (if (list? x) (fold loop res x) - (cons (format #f "~s" x) res))))) + (cons (format #f "~a" x) res))))) (match ntp-server (($ type address options) diff --git a/tests/networking.scm b/tests/networking.scm index 439cca5ffc..c494a48067 100644 --- a/tests/networking.scm +++ b/tests/networking.scm @@ -36,22 +36,23 @@ (ntp-server (type 'server) (address "some.ntp.server.org") - (options `(iburst (version 3) (maxpoll 16) prefer)))) + ;; Using either strings or symbols for option names is accepted. + (options `("iburst" (version 3) (maxpoll 16) prefer)))) (test-equal "ntp-server->string" - (ntp-server->string %ntp-server-sample) - "server some.ntp.server.org iburst version 3 maxpoll 16 prefer") + "server some.ntp.server.org iburst version 3 maxpoll 16 prefer" + (ntp-server->string %ntp-server-sample)) (test-equal "ntp configuration servers deprecated form" + (ntp-configuration-servers + (ntp-configuration + (servers (list "example.pool.ntp.org")))) (ntp-configuration-servers (ntp-configuration (servers (list (ntp-server (type 'server) (address "example.pool.ntp.org") - (options '())))))) - (ntp-configuration-servers - (ntp-configuration - (servers (list "example.pool.ntp.org"))))) + (options '()))))))) ;;; @@ -106,8 +107,8 @@ the sanity check:\n~a~%" config) #t)))) (test-equal "openntpd generated config string ends with a newline" + "\n" (let ((config (openntpd-configuration->string %openntpd-conf-sample))) - (string-take-right config 1)) - "\n") + (string-take-right config 1))) (test-end "networking") -- cgit 1.4.1 From 537b2daba9a5f0c17bde2203e6fb074a661d5b32 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Thu, 7 Nov 2019 10:22:24 +0100 Subject: gnu: commencement: Ensure 'gnu-make-final' refers to the native 'pkg-config'. Fixes . When running: guix build --target=arm-linux-gnueabihf -e '(@ (gnu packages base) coreutils)' the '%current-target-system' parameter is set by the time the top-level of (gnu packages commencement) is evaluated. Consequently, we need to ensure that the 'pkg-config' macro evaluates in a context where '%current-target-system' is unset. * gnu/packages/commencement.scm (gnu-make-final): Refer to '%pkg-config' instead of 'pkg-config'. * tests/guix-build.sh: Add test. --- gnu/packages/commencement.scm | 2 +- tests/guix-build.sh | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'tests') diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm index b022a0d634..6a382c7517 100644 --- a/gnu/packages/commencement.scm +++ b/gnu/packages/commencement.scm @@ -2402,7 +2402,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%" ;; PKG-CONFIG. ;; TODO: Fix that on the next rebuild cycle. (let ((pkg-config (package - (inherit pkg-config) + (inherit %pkg-config) ;the native pkg-config (inputs `(("guile" ,guile-final) ,@(%boot5-inputs))) (arguments diff --git a/tests/guix-build.sh b/tests/guix-build.sh index 37666ffd01..52feda9d3a 100644 --- a/tests/guix-build.sh +++ b/tests/guix-build.sh @@ -226,6 +226,10 @@ rmdir "$result" # Cross building. guix build coreutils --target=mips64el-linux-gnu --dry-run --no-substitutes +# Likewise, but with '-e' (see ). +guix build --target=arm-linux-gnueabihf --dry-run \ + -e '(@ (gnu packages base) coreutils)' + # Replacements. drv1=`guix build guix --with-input=guile@2.0=guile@2.2 -d` drv2=`guix build guix -d` -- cgit 1.4.1 From 3e962e59d849e4300e447d94487684102d9d412e Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Thu, 7 Nov 2019 18:15:55 +0100 Subject: graph: Support package transformation options. * guix/scripts/graph.scm (%options): Append %TRANSFORMATION-OPTIONS. (show-help): Call 'show-transformation-options-help'. (guix-graph): Call 'options->transformation' and use it. * tests/guix-graph.sh: Add test. * doc/guix.texi (Invoking guix graph): Document it. --- doc/guix.texi | 11 ++++++ guix/scripts/graph.scm | 105 ++++++++++++++++++++++++++++--------------------- tests/guix-graph.sh | 8 +++- 3 files changed, 78 insertions(+), 46 deletions(-) (limited to 'tests') diff --git a/doc/guix.texi b/doc/guix.texi index 3a9d206b9f..3b8e5935bb 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -9907,7 +9907,18 @@ The package dependency graph is largely architecture-independent, but there are some architecture-dependent bits that this option allows you to visualize. @end table +On top of that, @command{guix graph} supports all the usual package +transformation options (@pxref{Package Transformation Options}). This +makes it easy to view the effect of a graph-rewriting transformation +such as @option{--with-input}. For example, the command below outputs +the graph of @code{git} once @code{openssl} has been replaced by +@code{libressl} everywhere in the graph: +@example +guix graph git --with-input=openssl=libressl +@end example + +So many possibilities, so much fun! @node Invoking guix publish @section Invoking @command{guix publish} diff --git a/guix/scripts/graph.scm b/guix/scripts/graph.scm index 2e14857f1e..7558cb1e85 100644 --- a/guix/scripts/graph.scm +++ b/guix/scripts/graph.scm @@ -32,6 +32,10 @@ #:use-module (gnu packages) #:use-module (guix sets) #:use-module ((guix utils) #:select (location-file)) + #:use-module ((guix scripts build) + #:select (show-transformation-options-help + options->transformation + %transformation-options)) #:use-module (srfi srfi-1) #:use-module (srfi srfi-26) #:use-module (srfi srfi-34) @@ -446,36 +450,38 @@ package modules, while attempting to retain user package modules." ;;; (define %options - (list (option '(#\t "type") #t #f - (lambda (opt name arg result) - (alist-cons 'node-type (lookup-node-type arg) - result))) - (option '("list-types") #f #f - (lambda (opt name arg result) - (list-node-types) - (exit 0))) - (option '(#\b "backend") #t #f - (lambda (opt name arg result) - (alist-cons 'backend (lookup-backend arg) - result))) - (option '("list-backends") #f #f - (lambda (opt name arg result) - (list-backends) - (exit 0))) - (option '(#\e "expression") #t #f - (lambda (opt name arg result) - (alist-cons 'expression arg result))) - (option '(#\s "system") #t #f - (lambda (opt name arg result) - (alist-cons 'system arg - (alist-delete 'system result eq?)))) - (option '(#\h "help") #f #f - (lambda args - (show-help) - (exit 0))) - (option '(#\V "version") #f #f - (lambda args - (show-version-and-exit "guix edit"))))) + (cons* (option '(#\t "type") #t #f + (lambda (opt name arg result) + (alist-cons 'node-type (lookup-node-type arg) + result))) + (option '("list-types") #f #f + (lambda (opt name arg result) + (list-node-types) + (exit 0))) + (option '(#\b "backend") #t #f + (lambda (opt name arg result) + (alist-cons 'backend (lookup-backend arg) + result))) + (option '("list-backends") #f #f + (lambda (opt name arg result) + (list-backends) + (exit 0))) + (option '(#\e "expression") #t #f + (lambda (opt name arg result) + (alist-cons 'expression arg result))) + (option '(#\s "system") #t #f + (lambda (opt name arg result) + (alist-cons 'system arg + (alist-delete 'system result eq?)))) + (option '(#\h "help") #f #f + (lambda args + (show-help) + (exit 0))) + (option '(#\V "version") #f #f + (lambda args + (show-version-and-exit "guix graph"))) + + %transformation-options)) (define (show-help) ;; TRANSLATORS: Here 'dot' is the name of a program; it must not be @@ -495,6 +501,8 @@ Emit a representation of the dependency graph of PACKAGE...\n")) (display (G_ " -s, --system=SYSTEM consider the graph for SYSTEM--e.g., \"i686-linux\"")) (newline) + (show-transformation-options-help) + (newline) (display (G_ " -h, --help display this help and exit")) (display (G_ " @@ -514,21 +522,28 @@ Emit a representation of the dependency graph of PACKAGE...\n")) (define (guix-graph . args) (with-error-handling - (let* ((opts (parse-command-line args %options - (list %default-options) - #:build-options? #f)) - (backend (assoc-ref opts 'backend)) - (type (assoc-ref opts 'node-type)) - (items (filter-map (match-lambda - (('argument . (? store-path? item)) - item) - (('argument . spec) - (specification->package spec)) - (('expression . exp) - (read/eval-package-expression exp)) - (_ #f)) - opts))) - (with-store store + (define opts + (parse-command-line args %options + (list %default-options) + #:build-options? #f)) + (define backend + (assoc-ref opts 'backend)) + (define type + (assoc-ref opts 'node-type)) + + (with-store store + (let* ((transform (options->transformation opts)) + (items (filter-map (match-lambda + (('argument . (? store-path? item)) + item) + (('argument . spec) + (transform store + (specification->package spec))) + (('expression . exp) + (transform store + (read/eval-package-expression exp))) + (_ #f)) + opts))) ;; Ask for absolute file names so that .drv file names passed from the ;; user to 'read-derivation' are absolute when it returns. (with-fluids ((%file-port-name-canonicalization 'absolute)) diff --git a/tests/guix-graph.sh b/tests/guix-graph.sh index 1ec99706fd..2d4b3fac3f 100644 --- a/tests/guix-graph.sh +++ b/tests/guix-graph.sh @@ -1,5 +1,5 @@ # GNU Guix --- Functional package management for GNU -# Copyright © 2015, 2016 Ludovic Courtès +# Copyright © 2015, 2016, 2019 Ludovic Courtès # # This file is part of GNU Guix. # @@ -53,3 +53,9 @@ cmp "$tmpfile1" "$tmpfile2" guix graph -t derivation coreutils > "$tmpfile1" guix graph -t derivation `guix build -d coreutils` > "$tmpfile2" cmp "$tmpfile1" "$tmpfile2" + +# Try package transformation options. +guix graph git | grep 'label = "openssl' +guix graph git --with-input=openssl=libressl | grep 'label = "libressl' +if guix graph git --with-input=openssl=libressl | grep 'label = "openssl' +then false; else true; fi -- cgit 1.4.1 From b1fb663404894268b5ee92c040f12c52c0bee425 Mon Sep 17 00:00:00 2001 From: Julien Lepiller Date: Fri, 25 Oct 2019 21:39:21 +0200 Subject: guix: package: lock profiles when processing them. * guix/scripts/package.scm (process-actions): Get a per-profile lock to prevent concurrent actions on profiles. * tests/guix-package.sh: Add test. --- guix/scripts/package.scm | 70 +++++++++++++++++++++++++++--------------------- tests/guix-package.sh | 10 ++++++- 2 files changed, 49 insertions(+), 31 deletions(-) (limited to 'tests') diff --git a/guix/scripts/package.scm b/guix/scripts/package.scm index 1a58d43e5c..bcd03a1df9 100644 --- a/guix/scripts/package.scm +++ b/guix/scripts/package.scm @@ -42,6 +42,8 @@ #:autoload (guix store roots) (gc-roots) #:use-module ((guix build utils) #:select (directory-exists? mkdir-p)) + #:use-module ((guix build syscalls) + #:select (with-file-lock/no-wait)) #:use-module (ice-9 format) #:use-module (ice-9 match) #:use-module (ice-9 regex) @@ -876,36 +878,44 @@ processed, #f otherwise." (package-version item) (manifest-entry-version entry)))))) - ;; First, process roll-backs, generation removals, etc. - (for-each (match-lambda - ((key . arg) - (and=> (assoc-ref %actions key) - (lambda (proc) - (proc store profile arg opts - #:dry-run? dry-run?))))) - opts) - - ;; Then, process normal package removal/installation/upgrade. - (let* ((manifest (profile-manifest profile)) - (step1 (options->removable opts manifest - (manifest-transaction))) - (step2 (options->installable opts manifest step1)) - (step3 (manifest-transaction - (inherit step2) - (install (map transform-entry - (manifest-transaction-install step2))))) - (new (manifest-perform-transaction manifest step3))) - - (warn-about-old-distro) - - (unless (manifest-transaction-null? step3) - (show-manifest-transaction store manifest step3 - #:dry-run? dry-run?) - (build-and-use-profile store profile new - #:allow-collisions? allow-collisions? - #:bootstrap? bootstrap? - #:use-substitutes? substitutes? - #:dry-run? dry-run?)))) + + ;; First, acquire a lock on the profile, to ensure only one guix process + ;; is modifying it at a time. + (with-file-lock/no-wait (string-append profile ".lock") + (lambda (key . args) + (leave (G_ "profile ~a is locked by another process~%") + profile)) + + ;; Then, process roll-backs, generation removals, etc. + (for-each (match-lambda + ((key . arg) + (and=> (assoc-ref %actions key) + (lambda (proc) + (proc store profile arg opts + #:dry-run? dry-run?))))) + opts) + + ;; Then, process normal package removal/installation/upgrade. + (let* ((manifest (profile-manifest profile)) + (step1 (options->removable opts manifest + (manifest-transaction))) + (step2 (options->installable opts manifest step1)) + (step3 (manifest-transaction + (inherit step2) + (install (map transform-entry + (manifest-transaction-install step2))))) + (new (manifest-perform-transaction manifest step3))) + + (warn-about-old-distro) + + (unless (manifest-transaction-null? step3) + (show-manifest-transaction store manifest step3 + #:dry-run? dry-run?) + (build-and-use-profile store profile new + #:allow-collisions? allow-collisions? + #:bootstrap? bootstrap? + #:use-substitutes? substitutes? + #:dry-run? dry-run?))))) ;;; diff --git a/tests/guix-package.sh b/tests/guix-package.sh index 0de30bf6c1..7ad0699380 100644 --- a/tests/guix-package.sh +++ b/tests/guix-package.sh @@ -33,7 +33,7 @@ profile="t-profile-$$" tmpfile="t-guix-package-file-$$" rm -f "$profile" "$tmpfile" -trap 'rm -f "$profile" "$profile-"[0-9]* "$tmpfile"; rm -rf "$module_dir" t-home-'"$$" EXIT +trap 'rm -f "$profile" "$profile.lock" "$profile-"[0-9]* "$tmpfile"; rm -rf "$module_dir" t-home-'"$$" EXIT # Use `-e' with a non-package expression. if guix package --bootstrap -e +; @@ -452,3 +452,11 @@ rm -rf "$module_dir" # Make sure we can see user profiles. guix package --list-profiles | grep "$profile" guix package --list-profiles | grep '\.guix-profile' + +# Make sure we can properly lock a profile. +mkdir "$module_dir" +echo '(sleep 60)' > "$module_dir/manifest.scm" +guix package -m "$module_dir/manifest.scm" -p "$module_dir/profile" & +pid=$! +if guix install emacs -p "$module_dir/profile"; then kill $pid; false; else true; fi +kill $pid -- cgit 1.4.1