Merge remote-tracking branch 'origin/master' into staging

With resolved conflicts in: gnu/packages/bittorrent.scm gnu/packages/databases.scm gnu/packages/geo.scm gnu/packages/gnupg.scm gnu/packages/gstreamer.scm gnu/packages/gtk.scm gnu/packages/linux.scm gnu/packages/python-xyz.scm gnu/packages/xorg.scm guix/build/qt-utils.scm
author: Maxim Cournoyer <maxim.cournoyer@gmail.com> 2021-10-01 17:10:49 -0400
committer: Maxim Cournoyer <maxim.cournoyer@gmail.com> 2021-10-01 17:10:49 -0400
commit: 2e65e4834a226c570866f2e8976ed7f252b45cd1 (patch)
tree: 21d625bce8d03627680214df4a6622bf8eb79dc9 /guix/cve.scm
parent: 9c68ecb24dd1660ce736cdcdea0422a73ec318a2 (diff)
parent: f1a3c11407b52004e523ec5de20d326c5661681f (diff)
1 files changed, 18 insertions, 13 deletions
diff --git a/guix/cve.scm b/guix/cve.scm
index b3a8b13a06..9e1cf5b587 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -99,7 +99,9 @@
 
 (define (reference-data->cve-references alist)
   (map json->cve-reference
-       (vector->list (assoc-ref alist "reference_data"))))
+       ;; Normally "reference_data" is always present but rejected CVEs such
+       ;; as CVE-2020-10020 can lack it.
+       (vector->list (or (assoc-ref alist "reference_data") '#()))))
 
 (define %cpe-package-rx
   ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
@@ -137,17 +139,20 @@ package."
         (starte (assoc-ref alist "versionStartExcluding"))
         (endi   (assoc-ref alist "versionEndIncluding"))
         (ende   (assoc-ref alist "versionEndExcluding")))
-    (let-values (((package version) (cpe->package-name cpe)))
-      (and package
-           `(,package
-              ,(cond ((and (or starti starte) (or endi ende))
-                      `(and ,(if starti `(>= ,starti) `(> ,starte))
-                            ,(if endi `(<= ,endi) `(< ,ende))))
-                     (starti `(>= ,starti))
-                     (starte `(> ,starte))
-                     (endi   `(<= ,endi))
-                     (ende   `(< ,ende))
-                     (else   version)))))))
+    ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
+    ;; has a configuration that lacks it.
+    (and cpe
+         (let-values (((package version) (cpe->package-name cpe)))
+           (and package
+                `(,package
+                   ,(cond ((and (or starti starte) (or endi ende))
+                           `(and ,(if starti `(>= ,starti) `(> ,starte))
+                                 ,(if endi `(<= ,endi) `(< ,ende))))
+                          (starti `(>= ,starti))
+                          (starte `(> ,starte))
+                          (endi   `(<= ,endi))
+                          (ende   `(< ,ende))
+                          (else   version))))))))
 
 (define (configuration-data->cve-configurations alist)
   "Given ALIST, a JSON dictionary for the baroque \"configurations\"
author	Maxim Cournoyer <maxim.cournoyer@gmail.com>	2021-10-01 17:10:49 -0400
committer	Maxim Cournoyer <maxim.cournoyer@gmail.com>	2021-10-01 17:10:49 -0400
commit	2e65e4834a226c570866f2e8976ed7f252b45cd1 (patch)
tree	21d625bce8d03627680214df4a6622bf8eb79dc9 /guix/cve.scm
parent	9c68ecb24dd1660ce736cdcdea0422a73ec318a2 (diff)
parent	f1a3c11407b52004e523ec5de20d326c5661681f (diff)