From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id G0J3MBuUT2D4dAAA0tVLHw (envelope-from ) for ; Mon, 15 Mar 2021 17:06:35 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id ACgVLBuUT2ArHQAA1q6Kng (envelope-from ) for ; Mon, 15 Mar 2021 17:06:35 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5AB698A8E for ; Mon, 15 Mar 2021 18:06:35 +0100 (CET) Received: from localhost ([::1]:35048 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lLqfq-0001Qa-EU for larch@yhetil.org; Mon, 15 Mar 2021 13:06:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41506) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lLqbE-0007lW-3H for guix-devel@gnu.org; Mon, 15 Mar 2021 13:01:49 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:47076) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lLqbD-0000bt-4q; Mon, 15 Mar 2021 13:01:47 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=46544 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lLqbC-0004Iw-7Q; Mon, 15 Mar 2021 13:01:46 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Mark H Weaver Subject: Re: CVEs missing from the NIST database References: <20210312110935.16174.44675@vcs0.savannah.gnu.org> <20210312110938.317BD20B2E@vcs0.savannah.gnu.org> <871rcktmkw.fsf_-_@gnu.org> <87czw415jc.fsf@netris.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 25 =?utf-8?Q?Vent=C3=B4se?= an 229 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 15 Mar 2021 18:01:44 +0100 In-Reply-To: <87czw415jc.fsf@netris.org> (Mark H. Weaver's message of "Fri, 12 Mar 2021 15:27:08 -0500") Message-ID: <87blbke4g7.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615827995; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=U0vwoK9a0nQ+IO4Ixfk1seRThOpOwnZR73IZ21whUxg=; b=hX8z5y8zFnftW3aDyE8I8dP0DkcHpFiLfpR8RZLVuguRbb5Q0iSDs8EbzHcWS9oRrNiuvM S5lSLb4/zq/eWlj9sP3Y2U+y/8W03dhQgxTRnQZhe59+FibfT/ls32lUonx+GpLEzYLVM7 tXrcVoQ2CJ1O6FbJgTRZKR5Il1y9mGpCLlJkZr8d3kFCuIoz6gjAHgtOdKmO6l6GQt/AXB 8kFcISZ3h9gUvSa/cPq6eB0GhJVbCSCDuMV7y+iz74dcmzaude2laf3mEJ7p8yEF+e9a1S MVv0xLqO9AURAXkQpZewoND68H2np30FkgAZaexTHLB0QAqaxRPaDBjk46f7vw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615827995; a=rsa-sha256; cv=none; b=CEKM5J29srqSw1d6P6M/dRiuPQoQumCZdJHbujPzoTVZAvhmY4Cb+0vzm/rb3axgWUBaHe dBy2hebg3QhLZlhSFGb/vPTJLpybzdgEa879hu9KLOpHUKaAztVIme7/k507Vsbjio3tcP MVWy1Z7vAYMsVJHPpq/D1Hhy5v4usmT7x8PKceM1wxrfukt2QzfMhjtzhxRCpeNi84sxOT 65VDyWQCDBJX61u8flAe5de+C7MwCq0NMSzAb152IjqWE1oupdifDCYpIIcG2Z+lEzW6JA bg+FuY2Icp51zBb/i6mwETxsIZ7Z8vWu/W4l3lz28+hn0mO47sT6KT+fWPOVKw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.90 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 5AB698A8E X-Spam-Score: -2.90 X-Migadu-Scanner: scn0.migadu.com X-TUID: CzwbpKkW45fk Hi Mark, Mark H Weaver skribis: > Ludovic Court=C3=A8s writes: > >> In this case, I noticed that =E2=80=98guix lint -c cve cairo=E2=80=99 wo= uldn=E2=80=99t report >> CVE-2020-35492 and found that >> is 404. >> >> Likewise, this command: >> >> wget -qO - "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.j= son.gz" | \ >> gunzip | grep CVE-202-35492 >> >> turns up nothing. >> >> It could be that this CVE is still =E2=80=9Cpending=E2=80=9D (I think th= at happens >> sometimes). Do you know more about this one? > > I was looking in Debian's cairo package for fixes for other CVEs (namely > the ones that "guix lint -c cve cairo" *did* report), and noticed that > they included a fix for CVE-2020-35492. I didn't investigate further. OK. It could be that it hasn=E2=80=99t reached the NIST database yet, as L= eo wrote. > While we're on the subject on issues with the CVE database, or possibly > with our linter, "guix lint -c cve" now erroneously reports: > > gnu/packages/gnome.scm:8434:2: gnome-shell@3.34.5: probably vulnerable to= CVE-2019-3820 > gnu/packages/gnome.scm:6452:2: gvfs@1.40.2: probably vulnerable to CVE-20= 19-12447, CVE-2019-12448, CVE-2019-12449 > > > All of these are incorrect. > > * CVE-2019-3820 was fixed long before GNOME 3.34 came out, and I've > verified that the commit that fixes it is included in > gnome-shell-3.34.5: > > commit f0a7395b3006360905ccdc642982f9fc67378927 > Author: Ray Strode > Date: Wed Jan 23 15:59:15 2019 -0500 > > shellActionModes: disable POPUP keybindings in unlock screen > > * CVE-2019-12447, CVE-2019-12448, and CVE-2019-12449 are fixed in > gvfs-1.40.2, according to its NEWS file: Yes, that can happen when the CVE doesn=E2=80=99t list affected versions: https://www.openwall.com/lists/oss-security/2017/03/15/3 The solution here is to add a =E2=80=98lint-hidden-cve=E2=80=99 property to= the package with a comment explaining why we think these CVEs can be ignored (info "(guix) Invoking guix lint"). Thanks, Ludo=E2=80=99.