Bug 197065 - net-p2p/transmission-cli: Add CPE information for Transmission ports
Summary: net-p2p/transmission-cli: Add CPE information for Transmission ports
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Jan Beich
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-25 10:29 UTC by Jan Beich
Modified: 2015-02-10 22:17 UTC (History)
1 user (show)

See Also:
jbeich: maintainer-feedback+


Attachments
add USES=cpe (415 bytes, patch)
2015-01-25 10:29 UTC, Jan Beich
no flags Details | Diff
Makefile with CPE information (546 bytes, patch)
2015-02-08 16:25 UTC, shun
no flags Details | Diff
new Makefile with CPE information for all options (287 bytes, patch)
2015-02-08 22:42 UTC, shun
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Beich freebsd_committer 2015-01-25 10:29:02 UTC
Created attachment 152122 [details]
add USES=cpe

NVD lists 3 vulnerabilites, the most recent being from 2014-07-29
against 2.82 and we have no VuXML entry for it.

Trivial change, no logs.

  $ make -V CPE_STR PORTVERSION=2.82
  cpe:2.3:a:transmissionbt:transmission:2.82:::::freebsd11:x64:1

https://web.nvd.nist.gov/view/cpe/search/results?searchChoice=name&cpeName=cpe:2.3:a:transmissionbt:transmission:2.82:
Comment 1 Bugzilla Automation freebsd_committer 2015-01-25 10:29:02 UTC
Auto-assigned to maintainer crees@FreeBSD.org
Comment 2 shun 2015-02-08 16:25:49 UTC
Created attachment 152711 [details]
Makefile with CPE information

CPE info added to Makefile
Comment 3 Jan Beich freebsd_committer 2015-02-08 21:52:08 UTC
Comment on attachment 152711 [details]
Makefile with CPE information

CPE has to include -web slave in order to catch vulns like CVE-2012-4037.
https://trac.transmissionbt.com/changeset/13392
Comment 4 shun 2015-02-08 22:07:53 UTC
Could you clarify what you mean? The official CPE dictionary does not include the "-web" string for transmission. (test: grep transmission official-cpe-dictionary_v2.3.xml | grep web | wc -l -> yields 0)
Comment 5 Jan Beich freebsd_committer 2015-02-08 22:24:14 UTC
I was talking about www/transmission-web which was vulnerable at one point while your patch only populates CPE_STR under .if ${SLAVEPORT} != web.
Comment 6 shun 2015-02-08 22:42:04 UTC
Created attachment 152785 [details]
new Makefile with CPE information for all options
Comment 7 shun 2015-02-08 22:43:02 UTC
(In reply to Jan Beich from comment #5)
You are right. I was confused by the "# This is master port of transmission-*, so don't override USES definition" comment. Uploaded a new patch.
Comment 8 Jan Beich freebsd_committer 2015-02-10 21:24:21 UTC
And the only difference with my patch in comment 0 is newline. ;)
I'll probably take over maintainership and land with other changes, see review D1806.
Comment 9 commit-hook freebsd_committer 2015-02-10 21:58:40 UTC
A commit references this bug:

Author: jbeich
Date: Tue Feb 10 21:57:47 UTC 2015
New revision: 378806
URL: https://svnweb.freebsd.org/changeset/ports/378806

Log:
  - Add CPE information for Transmission ports [1]
  - Take maintainership [2] as the next update may require partially
    reverting r369657 hacks in favor of upstream support
  - Disable devel/libinotify:
    * used only by transmission-daemon's watch-dir
    * maybe less stable than readdir() fallback
    * disabled by other ports e.g., devel/glib20
    * completely different from devel/libnotify [3]
  - Belatedly bump PORTREVISION

  PR:		197065 [1]
  Differential Revision:	https://reviews.freebsd.org/D1806
  Suggested by:	crees [2]
  Pointy hat:	crees (r287179) [3]
  Approved by:	crees (maintainer) [1][2]
  Approved by:	bapt (mentor)

Changes:
  head/net-p2p/transmission-cli/Makefile
  head/net-p2p/transmission-daemon/Makefile
  head/net-p2p/transmission-gtk/Makefile
  head/net-p2p/transmission-qt4/Makefile