* [Buildroot] [PATCH 1/1] package/libtorrent-rasterbar: add CPE variables
@ 2021-01-23 22:19 Fabrice Fontaine
2021-01-23 22:45 ` Thomas Petazzoni
0 siblings, 1 reply; 5+ messages in thread
From: Fabrice Fontaine @ 2021-01-23 22:19 UTC (permalink / raw)
To: buildroot
cpe:2.3:a:libtorrent:libtorrent is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibtorrent%3Alibtorrent
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/libtorrent-rasterbar/libtorrent-rasterbar.mk | 2 ++
1 file changed, 2 insertions(+)
diff --git a/package/libtorrent-rasterbar/libtorrent-rasterbar.mk b/package/libtorrent-rasterbar/libtorrent-rasterbar.mk
index de8c122520..7f60252e9b 100644
--- a/package/libtorrent-rasterbar/libtorrent-rasterbar.mk
+++ b/package/libtorrent-rasterbar/libtorrent-rasterbar.mk
@@ -9,6 +9,8 @@ LIBTORRENT_RASTERBAR_SITE = \
https://github.com/arvidn/libtorrent/releases/download/v$(LIBTORRENT_RASTERBAR_VERSION)
LIBTORRENT_RASTERBAR_LICENSE = BSD-3-Clause
LIBTORRENT_RASTERBAR_LICENSE_FILES = COPYING
+LIBTORRENT_RASTERBAR_CPE_ID_VENDOR = libtorrent
+LIBTORRENT_RASTERBAR_CPE_ID_PRODUCT = libtorrent
LIBTORRENT_RASTERBAR_DEPENDENCIES = host-pkgconf boost openssl
LIBTORRENT_RASTERBAR_INSTALL_STAGING = YES
LIBTORRENT_RASTERBAR_CONF_OPTS = \
--
2.29.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/libtorrent-rasterbar: add CPE variables
2021-01-23 22:19 [Buildroot] [PATCH 1/1] package/libtorrent-rasterbar: add CPE variables Fabrice Fontaine
@ 2021-01-23 22:45 ` Thomas Petazzoni
2021-01-23 22:52 ` Fabrice Fontaine
2021-01-24 16:30 ` Yann E. MORIN
0 siblings, 2 replies; 5+ messages in thread
From: Thomas Petazzoni @ 2021-01-23 22:45 UTC (permalink / raw)
To: buildroot
On Sat, 23 Jan 2021 23:19:56 +0100
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> cpe:2.3:a:libtorrent:libtorrent is a valid CPE identifier for this
> package:
>
> https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibtorrent%3Alibtorrent
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> package/libtorrent-rasterbar/libtorrent-rasterbar.mk | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/package/libtorrent-rasterbar/libtorrent-rasterbar.mk b/package/libtorrent-rasterbar/libtorrent-rasterbar.mk
> index de8c122520..7f60252e9b 100644
> --- a/package/libtorrent-rasterbar/libtorrent-rasterbar.mk
> +++ b/package/libtorrent-rasterbar/libtorrent-rasterbar.mk
> @@ -9,6 +9,8 @@ LIBTORRENT_RASTERBAR_SITE = \
> https://github.com/arvidn/libtorrent/releases/download/v$(LIBTORRENT_RASTERBAR_VERSION)
> LIBTORRENT_RASTERBAR_LICENSE = BSD-3-Clause
> LIBTORRENT_RASTERBAR_LICENSE_FILES = COPYING
> +LIBTORRENT_RASTERBAR_CPE_ID_VENDOR = libtorrent
> +LIBTORRENT_RASTERBAR_CPE_ID_PRODUCT = libtorrent
We also have package/libtorrent/ in Buildroot. How do we know for sure
that the libtorrent:libtorrent CPE ID applies to
package/libtorrent-rasterbar/ ? Yes indeed, the latest CPE ID known for
libtorrent:libtorrent is 1.2.2, which is pretty close to the 1.2.12 we
have in Buildroot for libtorrent-rasterbar. But other than that ?
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/libtorrent-rasterbar: add CPE variables
2021-01-23 22:45 ` Thomas Petazzoni
@ 2021-01-23 22:52 ` Fabrice Fontaine
2021-01-24 16:30 ` Yann E. MORIN
1 sibling, 0 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2021-01-23 22:52 UTC (permalink / raw)
To: buildroot
Le sam. 23 janv. 2021 ? 23:45, Thomas Petazzoni
<thomas.petazzoni@bootlin.com> a ?crit :
>
> On Sat, 23 Jan 2021 23:19:56 +0100
> Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
>
> > cpe:2.3:a:libtorrent:libtorrent is a valid CPE identifier for this
> > package:
> >
> > https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibtorrent%3Alibtorrent
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> > ---
> > package/libtorrent-rasterbar/libtorrent-rasterbar.mk | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/package/libtorrent-rasterbar/libtorrent-rasterbar.mk b/package/libtorrent-rasterbar/libtorrent-rasterbar.mk
> > index de8c122520..7f60252e9b 100644
> > --- a/package/libtorrent-rasterbar/libtorrent-rasterbar.mk
> > +++ b/package/libtorrent-rasterbar/libtorrent-rasterbar.mk
> > @@ -9,6 +9,8 @@ LIBTORRENT_RASTERBAR_SITE = \
> > https://github.com/arvidn/libtorrent/releases/download/v$(LIBTORRENT_RASTERBAR_VERSION)
> > LIBTORRENT_RASTERBAR_LICENSE = BSD-3-Clause
> > LIBTORRENT_RASTERBAR_LICENSE_FILES = COPYING
> > +LIBTORRENT_RASTERBAR_CPE_ID_VENDOR = libtorrent
> > +LIBTORRENT_RASTERBAR_CPE_ID_PRODUCT = libtorrent
>
> We also have package/libtorrent/ in Buildroot. How do we know for sure
> that the libtorrent:libtorrent CPE ID applies to
> package/libtorrent-rasterbar/ ? Yes indeed, the latest CPE ID known for
> libtorrent:libtorrent is 1.2.2, which is pretty close to the 1.2.12 we
> have in Buildroot for libtorrent-rasterbar. But other than that ?
Because, the NIST database contains the following information for this
CPE (https://nvd.nist.gov/products/cpe/detail/659515?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Alibtorrent%3Alibtorrent&status=FINAL):
Product http://libtorrent.org/
Version https://github.com/arvidn/libtorrent
I was not able to find libtorrent (a.k.a.
https://github.com/rakshasa/rtorrent) in the NIST database.
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
Best Regards,
Fabrice
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/libtorrent-rasterbar: add CPE variables
2021-01-23 22:45 ` Thomas Petazzoni
2021-01-23 22:52 ` Fabrice Fontaine
@ 2021-01-24 16:30 ` Yann E. MORIN
2021-01-24 16:36 ` Yann E. MORIN
1 sibling, 1 reply; 5+ messages in thread
From: Yann E. MORIN @ 2021-01-24 16:30 UTC (permalink / raw)
To: buildroot
On 2021-01-23 23:45 +0100, Thomas Petazzoni spake thusly:
> On Sat, 23 Jan 2021 23:19:56 +0100
> Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
>
> > cpe:2.3:a:libtorrent:libtorrent is a valid CPE identifier for this
> > package:
> >
> > https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibtorrent%3Alibtorrent
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> > ---
> > package/libtorrent-rasterbar/libtorrent-rasterbar.mk | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/package/libtorrent-rasterbar/libtorrent-rasterbar.mk b/package/libtorrent-rasterbar/libtorrent-rasterbar.mk
> > index de8c122520..7f60252e9b 100644
> > --- a/package/libtorrent-rasterbar/libtorrent-rasterbar.mk
> > +++ b/package/libtorrent-rasterbar/libtorrent-rasterbar.mk
> > @@ -9,6 +9,8 @@ LIBTORRENT_RASTERBAR_SITE = \
> > https://github.com/arvidn/libtorrent/releases/download/v$(LIBTORRENT_RASTERBAR_VERSION)
> > LIBTORRENT_RASTERBAR_LICENSE = BSD-3-Clause
> > LIBTORRENT_RASTERBAR_LICENSE_FILES = COPYING
> > +LIBTORRENT_RASTERBAR_CPE_ID_VENDOR = libtorrent
> > +LIBTORRENT_RASTERBAR_CPE_ID_PRODUCT = libtorrent
>
> We also have package/libtorrent/ in Buildroot. How do we know for sure
> that the libtorrent:libtorrent CPE ID applies to
> package/libtorrent-rasterbar/ ? Yes indeed, the latest CPE ID known for
> libtorrent:libtorrent is 1.2.2, which is pretty close to the 1.2.12 we
> have in Buildroot for libtorrent-rasterbar. But other than that ?
libtorrent-rasterbar is the release archive of the libtorrent project;
https://github.com/arvidn/libtorrent/releases/tag/v1.2.12
Applied to master, thanks.
Regards,
Yann E. MORIN.
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/libtorrent-rasterbar: add CPE variables
2021-01-24 16:30 ` Yann E. MORIN
@ 2021-01-24 16:36 ` Yann E. MORIN
0 siblings, 0 replies; 5+ messages in thread
From: Yann E. MORIN @ 2021-01-24 16:36 UTC (permalink / raw)
To: buildroot
Thomas, All,
On 2021-01-24 17:30 +0100, Yann E. MORIN spake thusly:
> On 2021-01-23 23:45 +0100, Thomas Petazzoni spake thusly:
> > On Sat, 23 Jan 2021 23:19:56 +0100
> > Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> > > cpe:2.3:a:libtorrent:libtorrent is a valid CPE identifier for this
> > > package:
> > > https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibtorrent%3Alibtorrent
[--SNIP--]
> > We also have package/libtorrent/ in Buildroot. How do we know for sure
> > that the libtorrent:libtorrent CPE ID applies to
> > package/libtorrent-rasterbar/ ? Yes indeed, the latest CPE ID known for
> > libtorrent:libtorrent is 1.2.2, which is pretty close to the 1.2.12 we
> > have in Buildroot for libtorrent-rasterbar. But other than that ?
> libtorrent-rasterbar is the release archive of the libtorrent project;
> https://github.com/arvidn/libtorrent/releases/tag/v1.2.12
Oh, sorry, I misunderstood you...
libtorrent-rasterbar references two CVEs:
commit a4b2f636cc6146b85558777cdda59fd55312a0e2
Author: Arvid Norberg <arvid@cs.umu.se>
Date: Mon Jul 29 17:45:26 2019 -0700
update changelog to include CVE references
diff --git a/ChangeLog b/ChangeLog
index d301d9f1c..a9745286f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -223,7 +223,7 @@
* fix IPv6 tracker support by performing the second announce in
* more cases
* fix utf-8 encoding check in torrent parser
* fix infinite loop when parsing maliciously crafted torrents
- * fix invalid read in parse_int in bdecoder
+ * fix invalid read in parse_int in bdecoder (CVE-2017-9847)
* fix issue with very long tracker- and web seed URLs
* don't attempt to create empty files on startup, if they
* already exist
* fix force-recheck issue (new files would not be picked up)
@@ -312,7 +312,7 @@
1.1.1 release
- * update puff.c for gzip inflation
+ * update puff.c for gzip inflation (CVE-2016-7164)
* add dht_bootstrap_node a setting in settings_pack (and add
* default)
* make pad-file and symlink support conform to BEP47
* fix piece picker bug that could result in division by zero
And those two CVEs are attrobuted to libtorrent in the NIST DB:
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&seach_type=all&query=cpe:2.3:a:libtorrent:libtorrent:*:-:*:*:*:*:*:*
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-01-24 16:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-23 22:19 [Buildroot] [PATCH 1/1] package/libtorrent-rasterbar: add CPE variables Fabrice Fontaine
2021-01-23 22:45 ` Thomas Petazzoni
2021-01-23 22:52 ` Fabrice Fontaine
2021-01-24 16:30 ` Yann E. MORIN
2021-01-24 16:36 ` Yann E. MORIN
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.