Bug 197065

Summary:

net-p2p/transmission-cli: Add CPE information for Transmission ports

Product:

Ports & Packages

Reporter:

Jan Beich <jbeich>

Component:

Individual Port(s)

Assignee:

Jan Beich <jbeich>

Status:

Closed FIXED

Severity:

Affects Only Me

CC:

shun.fbsd.pr

Priority:

---

Flags:

jbeich: maintainer-feedback+

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
add USES=cpe	none
Makefile with CPE information	none
new Makefile with CPE information for all options	none

Description Jan Beich freebsd_committer

2015-01-25 10:29:02 UTC

Created attachment 152122 [details]
add USES=cpe

NVD lists 3 vulnerabilites, the most recent being from 2014-07-29
against 2.82 and we have no VuXML entry for it.

Trivial change, no logs.

  $ make -V CPE_STR PORTVERSION=2.82
  cpe:2.3:a:transmissionbt:transmission:2.82:::::freebsd11:x64:1

https://web.nvd.nist.gov/view/cpe/search/results?searchChoice=name&cpeName=cpe:2.3:a:transmissionbt:transmission:2.82:

Comment 1 Bugzilla Automation freebsd_committer

2015-01-25 10:29:02 UTC

Auto-assigned to maintainer crees@FreeBSD.org

Comment 2 shun 2015-02-08 16:25:49 UTC

Created attachment 152711 [details]
Makefile with CPE information

CPE info added to Makefile

Comment 3 Jan Beich freebsd_committer

2015-02-08 21:52:08 UTC

Comment on attachment 152711 [details]
Makefile with CPE information

CPE has to include -web slave in order to catch vulns like CVE-2012-4037.
https://trac.transmissionbt.com/changeset/13392

Comment 4 shun 2015-02-08 22:07:53 UTC

Could you clarify what you mean? The official CPE dictionary does not include the "-web" string for transmission. (test: grep transmission official-cpe-dictionary_v2.3.xml | grep web | wc -l -> yields 0)

Comment 5 Jan Beich freebsd_committer

2015-02-08 22:24:14 UTC

I was talking about www/transmission-web which was vulnerable at one point while your patch only populates CPE_STR under .if ${SLAVEPORT} != web.

Comment 6 shun 2015-02-08 22:42:04 UTC

Created attachment 152785 [details]
new Makefile with CPE information for all options

Comment 7 shun 2015-02-08 22:43:02 UTC

(In reply to Jan Beich from comment #5)
You are right. I was confused by the "# This is master port of transmission-*, so don't override USES definition" comment. Uploaded a new patch.

Comment 8 Jan Beich freebsd_committer

2015-02-10 21:24:21 UTC

And the only difference with my patch in comment 0 is newline. ;)
I'll probably take over maintainership and land with other changes, see review D1806.

Comment 9 commit-hook freebsd_committer

2015-02-10 21:58:40 UTC

A commit references this bug:

Author: jbeich
Date: Tue Feb 10 21:57:47 UTC 2015
New revision: 378806
URL: https://svnweb.freebsd.org/changeset/ports/378806

Log:
  - Add CPE information for Transmission ports [1]
  - Take maintainership [2] as the next update may require partially
    reverting r369657 hacks in favor of upstream support
  - Disable devel/libinotify:
    * used only by transmission-daemon's watch-dir
    * maybe less stable than readdir() fallback
    * disabled by other ports e.g., devel/glib20
    * completely different from devel/libnotify [3]
  - Belatedly bump PORTREVISION

  PR:		197065 [1]
  Differential Revision:	https://reviews.freebsd.org/D1806
  Suggested by:	crees [2]
  Pointy hat:	crees (r287179) [3]
  Approved by:	crees (maintainer) [1][2]
  Approved by:	bapt (mentor)

Changes:
  head/net-p2p/transmission-cli/Makefile
  head/net-p2p/transmission-daemon/Makefile
  head/net-p2p/transmission-gtk/Makefile
  head/net-p2p/transmission-qt4/Makefile