Bug 211797 - x11-fonts/xfs: Add CPE information
Summary: x11-fonts/xfs: Add CPE information
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Ports Security Team
URL:
Keywords: easy, security
Depends on:
Blocks:
 
Reported: 2016-08-12 21:25 UTC by shun
Modified: 2021-08-18 06:37 UTC (History)
5 users (show)

See Also:
bugzilla: maintainer-feedback? (x11)


Attachments
add CPE information to Makefile (338 bytes, patch)
2016-08-12 21:25 UTC, shun
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description shun 2016-08-12 21:25:16 UTC
Created attachment 173613 [details]
add CPE information to Makefile

x11-fonts/xfs has had vulnerabilities with a CPE identifier assigned (e.g. CVE-2007-4568). This patch adds CPE information as suggested in the FreeBSD wiki[0].

[0] https://wiki.freebsd.org/Ports/CPE
Comment 1 Walter Schwarzenfeld freebsd_triage 2018-01-13 22:49:04 UTC
Maintainer feedback?
Comment 2 Niclas Zeising freebsd_committer 2018-01-13 23:00:43 UTC
I'll look into this.  There's a couple of other xorg ports with PRs for CPE info, I'll do them in one go.
Comment 3 Walter Schwarzenfeld freebsd_triage 2018-01-13 23:08:04 UTC
Thanks!
Comment 4 Jochen Neumeister freebsd_committer 2019-02-15 18:17:01 UTC
what is the current status?
Does ports-secteam have to be active here?
Comment 5 Niclas Zeising freebsd_committer 2019-02-17 18:08:12 UTC
(In reply to Jochen Neumeister from comment #4)

This has probably just been dropped.  I'm not sure how useful CPE info is, but there is no harm in adding it.
Comment 6 Niclas Zeising freebsd_committer 2019-02-17 18:13:04 UTC
(In reply to Niclas Zeising from comment #5)

I do believe the vendor should be x, not x.org though.
Comment 7 Niclas Zeising freebsd_committer 2019-02-17 18:29:47 UTC
(In reply to Niclas Zeising from comment #6)

Hm
After a closer look, it seems like both x and x.org is used.  I'll double check with ports secteam on which is preferred.
Comment 8 Niclas Zeising freebsd_committer 2019-02-17 18:34:03 UTC
(In reply to Niclas Zeising from comment #7)

Sorry for spam.  Looking through the ports tree, we have used x as vendor.
Comment 9 commit-hook freebsd_committer 2019-02-17 19:00:16 UTC
A commit references this bug:

Author: zeising
Date: Sun Feb 17 18:59:31 UTC 2019
New revision: 493180
URL: https://svnweb.freebsd.org/changeset/ports/493180

Log:
  x11-fonts/xfs: Add CPE info

  Add CPE info to xfs.  Use x as vendor, since that's what's used through out
  the ports tree.  Looking at the NVD CPE database, both x and x.org seem to
  be used.

  PR:		211797 (based on)
  Submitted by:	shun
  Sponsored by:	B3 Init (zeising)

Changes:
  head/x11-fonts/xfs/Makefile
Comment 10 Niclas Zeising freebsd_committer 2019-02-17 19:16:40 UTC
CPE info has been added.  Sorry for dropping this one on the floor, and thanks for the reminder!
Comment 11 Bernhard Froehlich freebsd_committer 2021-08-18 06:37:46 UTC
I am currently trying to fix and add CPE information all over the portstree and just noticed that the CPE info for x11-fonts/xfs was added incorrectly.

CPE_VENDOR is nothing that we decide on but is coming from the CPE Dictionary and the correct value for this port is "x.org" - so the submitted patch was correct. I've fixed it in the portstree in a71a0b5.