[pcre-dev] PCRE CPE Documentation (forward)

Top Pagina
Delete this message
Auteur: Jason Unovitch
Datum:  
Aan: pcre-dev
CC: ports-secteam, adamw
Onderwerp: [pcre-dev] PCRE CPE Documentation (forward)
Greetings,
I wasn't sure of the correct home for this message. As part of an
effort to match up associated CPE information with ported software on
FreeBSD we came across conflicting information in the NIST dictionary
for PCRE. PCRE was documented having three distinct products, the
correct 'pcre' and two incorrect products:
'perl-compatible_regular_expression_library'
'perl_compatible_regular_expression_library'

I contacted the NIST for clarification based on the steps on Mitre's CPE
page (https://cpe.mitre.org/dictionary/). Their response clarifying the
correct information follows and I'm forwarding it here as a courtesy.
Additionally, have any PCRE developers asked to have PCRE2 registered in
the CPE dictionary? We've matched up the FreeBSD port of PCRE with the
correct CPE information but PCRE2 isn't listed upstream yet. The
process is listed in the link above.

Thanks!

Jason Unovitch
FreeBSD Ports Security Team

- ----- Forwarded message from "Izadjoo, Meisam (Assoc)" <meisam.izadjoo@???> -----

Date: Tue, 5 Jul 2016 14:06:41 +0000
From: "Izadjoo, Meisam (Assoc)" <meisam.izadjoo@???>
To: Jason Unovitch <junovitch@???>
CC: cpe_dictionary <cpe_dictionary@???>
Subject: RE: CPE Inquiry: PCRE - Conflicting Product Information

Good morning and thank you for bringing this matter to our attention. The correct CPE for this product should be: cpe:2.3:a:pcre:pcre

As time permits, we will update the dictionary and correct any conflicts.

Regards,

Mase Izadjoo
National Vulnerability Database
National Institute of Standards and Technology
nvd.nist.gov


- -----Original Message-----
From: Jason Unovitch [mailto:junovitch@FreeBSD.org]
Sent: Sunday, July 03, 2016 4:52 PM
To: cpe_dictionary <cpe_dictionary@???>
Subject: CPE Inquiry: PCRE - Conflicting Product Information

Hello,
This is in regards to the PCRE (http://pcre.org/)

The preponderance of PCRE entries contain a vendor and product entry of pcre. However there are duplicate entries using the following two product strings:

perl-compatible_regular_expression_library
perl_compatible_regular_expression_library

Note that the former hyphenated version references various 7.x CVEs while the latter version with an underscore is has been adding new entries.
For example, for PCRE 8.38 there are recent entries for both pcre and perl_compatible_regular_expression_library.

https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe:/a:pcre:pcre:8.38
https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe:/a:pcre:perl_compatible_regular_expression_library:8.38

What is the canonical Vendor/Product for PCRE?

Thank you,

Respectively,
Jason Unovitch
FreeBSD Port Security Team

- ----- End forwarded message -----