Bug 198257 - lang/gcc47-aux: add CPE information
Summary: lang/gcc47-aux: add CPE information
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: John Marino
Depends on:
Reported: 2015-03-03 22:05 UTC by shun
Modified: 2015-03-05 09:04 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (marino)

Makefile with CPE information added (273 bytes, patch)
2015-03-03 22:05 UTC, shun
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description shun 2015-03-03 22:05:30 UTC
Created attachment 153746 [details]
Makefile with CPE information added

lang/gcc47-aux has had vulnerabilities with a CPE identifier assigned (e.g. CVE-2008-1367). This patch add CPE information as suggested in the FreeBSD wiki[0].

[0] https://wiki.freebsd.org/Ports/CPE
Comment 1 John Marino freebsd_committer 2015-03-04 00:12:50 UTC
according to: http://www.cvedetails.com/cve/CVE-2008-1367/

CVE-2008-1367 applies to gcc 4.3.x

gcc-aux is version 4.7.4

To me this CVE is not applicable.  Why do you think it is?
Comment 2 commit-hook freebsd_committer 2015-03-05 09:01:31 UTC
A commit references this bug:

Author: marino
Date: Thu Mar  5 09:01:27 UTC 2015
New revision: 380478
URL: https://svnweb.freebsd.org/changeset/ports/380478

  lang/gcc-aux, lang/gcc47-aux, lang/gnatdroid-arm*: Add CPE information

  There are no active CVEs against GCC 4.7.x or 4.9.x, but GCC is listed
  in the CPE database due to earlier CVEs.  To prepare for future CVEs, add
  the CPE information.  Note that CPE_VERSION has to be defined since these
  ports use their own version schemes rather than GCC version numbers.

  PR:		198252
  PR:		198257
  Submitted by:	shun (dropcut.net)

Comment 3 John Marino freebsd_committer 2015-03-05 09:04:20 UTC
Thanks, two changes

1) I had to add CPE_VERSION entry since gcc47-aux uses a date for a version, not the gcc version, so the CPE_STR was wrong without it

2) I moved it to Makefile.common.  No other port uses Makefile.common (anymore) so it doesn't make a difference, it's just cleaner there.