Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chrome CVEs don't show in chromium, ungoogled-chromium, etc. #1163

Open
chkno opened this issue Jun 29, 2021 · 0 comments
Open

Chrome CVEs don't show in chromium, ungoogled-chromium, etc. #1163

chkno opened this issue Jun 29, 2021 · 0 comments

Comments

@chkno
Copy link

chkno commented Jun 29, 2021

Nearly all Chrome vulnerabilies also apply to chromium, ungoogled-chromium, etc..

Has CVE info:
https://repology.org/project/google-chrome

No CVE info:
https://repology.org/project/chromium
https://repology.org/project/ungoogled-chromium
https://repology.org/project/ungoogled-chromium-wayland
https://repology.org/project/chromium-freeworld
https://repology.org/project/chromium-beta-ozone
https://repology.org/project/chromium-dev-nosync
https://repology.org/project/chromium-dev-ozone
https://repology.org/project/chromium-gost
https://repology.org/project/chromium-legacy
https://repology.org/project/chromium-nosync
https://repology.org/project/chromium-ozone
https://repology.org/project/chromium-snapshot
...
(maybe some of these should be merged?)

These packages all contain nearly all the same code, and so are almost certainly affected by the same vulnerabilities. They all use the same versioning scheme as Chrome (currently around 91.0.4472.114), so the same affected-versions ranges can be used.

How should this information flow into repology?

  1. Should these use-CVE-info-from-other-package relationships be facts that repology knows?
  2. Should these relationships be facts that Gentoo or Ravenports know and repology imports along with the rest of the CPE mapping info?
  3. Should the NIST NVD just track this about each vulnerability? For example, https://nvd.nist.gov/vuln/detail/CVE-2021-30553 currently shows one known-affected configuration: cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*. Ought it also list cpe:2.3:a:google:chromium:*:*:*:*:*:*:*:*, cpe:2.3:a:eloston:ungoogled-chromium:*:*:*:*:*:*:*:*, and twenty others? This seems like it would be the cleanest from a data quality perspective — if the vulnerability is in the small proprietary part of Chrome, there would be a way to express that it does not affect chromium, etc., and this could support chromium-derived projects that use a different version scheme (eg: Vivaldi, Brave, Epic, SlimBrowser, etc.). But I don't see chromium or any of the repackaged-chromium projects, large or small, listed as affected by any of the Chrome vulnerabilities.

(The Chromium family is the largest and most important collection of packages affected by this, but this issue is not Chromium-specific.)
AMDmi3 added a commit to repology/repology-rules that referenced this issue Jun 29, 2021
@AMDmi3
Extend merge for chromium (repology/repology-updater#1163)
1dbeeff
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chkno