Created attachment 153746 [details]
Makefile with CPE information added
lang/gcc47-aux has had vulnerabilities with a CPE identifier assigned (e.g. CVE-2008-1367). This patch add CPE information as suggested in the FreeBSD wiki.
according to: http://www.cvedetails.com/cve/CVE-2008-1367/
CVE-2008-1367 applies to gcc 4.3.x
gcc-aux is version 4.7.4
To me this CVE is not applicable. Why do you think it is?
A commit references this bug:
Date: Thu Mar 5 09:01:27 UTC 2015
New revision: 380478
lang/gcc-aux, lang/gcc47-aux, lang/gnatdroid-arm*: Add CPE information
There are no active CVEs against GCC 4.7.x or 4.9.x, but GCC is listed
in the CPE database due to earlier CVEs. To prepare for future CVEs, add
the CPE information. Note that CPE_VERSION has to be defined since these
ports use their own version schemes rather than GCC version numbers.
Submitted by: shun (dropcut.net)
Thanks, two changes
1) I had to add CPE_VERSION entry since gcc47-aux uses a date for a version, not the gcc version, so the CPE_STR was wrong without it
2) I moved it to Makefile.common. No other port uses Makefile.common (anymore) so it doesn't make a difference, it's just cleaner there.