unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* CVEs missing from the NIST database
       [not found] ` <20210312110938.317BD20B2E@vcs0.savannah.gnu.org>
@ 2021-03-12 15:31   ` Ludovic Courtès
  2021-03-12 17:50     ` Leo Famulari
  2021-03-12 20:27     ` Mark H Weaver
  0 siblings, 2 replies; 5+ messages in thread
From: Ludovic Courtès @ 2021-03-12 15:31 UTC (permalink / raw)
  To: guix-devel, Mark H Weaver

Hi Mark,

guix-commits@gnu.org skribis:

> commit bc16eacc99e801ac30cbe2aa649a2be3ca5c102a
> Author: Mark H Weaver <mhw@netris.org>
> AuthorDate: Fri Mar 12 05:24:36 2021 -0500
>
>     gnu: cairo: Fix CVE-2018-19876 and CVE-2020-35492.
>     
>     * gnu/packages/patches/cairo-CVE-2018-19876.patch,
>     gnu/packages/patches/cairo-CVE-2020-35492.patch: New files.
>     * gnu/local.mk (dist_patch_DATA): Add them.
>     * gnu/packages/gtk.scm (cairo)[replacement]: New field.
>     (cairo/fixed): New variable.
>     (cairo-xcb): Use package/inherit.

Since there are lot of CVEs getting fixed in Guix these days (thanks
folks!), I’m trying to see how helpful (guix cve) is for those.

In this case, I noticed that ‘guix lint -c cve cairo’ wouldn’t report
CVE-2020-35492 and found that
<https://nvd.nist.gov/vuln/detail/CVE-2020-35492> is 404.

Likewise, this command:

   wget -qO - "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz" | \
     gunzip | grep CVE-202-35492

turns up nothing.

It could be that this CVE is still “pending” (I think that happens
sometimes).  Do you know more about this one?

Thanks,
Ludo’.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: CVEs missing from the NIST database
  2021-03-12 15:31   ` CVEs missing from the NIST database Ludovic Courtès
@ 2021-03-12 17:50     ` Leo Famulari
  2021-03-12 20:27     ` Mark H Weaver
  1 sibling, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2021-03-12 17:50 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 659 bytes --]

On Fri, Mar 12, 2021 at 04:31:59PM +0100, Ludovic Courtès wrote:
> It could be that this CVE is still “pending” (I think that happens
> sometimes).  Do you know more about this one?

I found some references from other distros:

https://access.redhat.com/security/cve/cve-2020-35492
https://security-tracker.debian.org/tracker/CVE-2020-35492

... and the upstream bug report:

https://gitlab.freedesktop.org/cairo/cairo/-/issues/437

My impression of the process around reporting and registering CVE IDs is
that it's somewhat decentralized now, so there can be lack of
coordination between reporters and "canonical" authorities like NIST.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: CVEs missing from the NIST database
  2021-03-12 15:31   ` CVEs missing from the NIST database Ludovic Courtès
  2021-03-12 17:50     ` Leo Famulari
@ 2021-03-12 20:27     ` Mark H Weaver
  2021-03-15 17:01       ` Ludovic Courtès
  1 sibling, 1 reply; 5+ messages in thread
From: Mark H Weaver @ 2021-03-12 20:27 UTC (permalink / raw)
  To: Ludovic Courtès, guix-devel

Hi Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

> In this case, I noticed that ‘guix lint -c cve cairo’ wouldn’t report
> CVE-2020-35492 and found that
> <https://nvd.nist.gov/vuln/detail/CVE-2020-35492> is 404.
>
> Likewise, this command:
>
>    wget -qO - "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz" | \
>      gunzip | grep CVE-202-35492
>
> turns up nothing.
>
> It could be that this CVE is still “pending” (I think that happens
> sometimes).  Do you know more about this one?

I was looking in Debian's cairo package for fixes for other CVEs (namely
the ones that "guix lint -c cve cairo" *did* report), and noticed that
they included a fix for CVE-2020-35492.  I didn't investigate further.

While we're on the subject on issues with the CVE database, or possibly
with our linter, "guix lint -c cve" now erroneously reports:

--8<---------------cut here---------------start------------->8---
gnu/packages/gnome.scm:8434:2: gnome-shell@3.34.5: probably vulnerable to CVE-2019-3820
gnu/packages/gnome.scm:6452:2: gvfs@1.40.2: probably vulnerable to CVE-2019-12447, CVE-2019-12448, CVE-2019-12449
--8<---------------cut here---------------end--------------->8---

All of these are incorrect.

* CVE-2019-3820 was fixed long before GNOME 3.34 came out, and I've
  verified that the commit that fixes it is included in
  gnome-shell-3.34.5:

    commit f0a7395b3006360905ccdc642982f9fc67378927
    Author: Ray Strode <rstrode@redhat.com>
    Date:   Wed Jan 23 15:59:15 2019 -0500

    shellActionModes: disable POPUP keybindings in unlock screen

* CVE-2019-12447, CVE-2019-12448, and CVE-2019-12449 are fixed in
  gvfs-1.40.2, according to its NEWS file:

--8<---------------cut here---------------start------------->8---
Major changes in 1.40.2
=======================
* daemon: Only accept EXTERNAL authentication (CVE-2019-12795)
* daemon: Check that the connecting client is the same user (CVE-2019-12795)
* admin: Ensure correct ownership when moving to file:// uri (CVE-2019-12449)
* admin: Use fsuid to ensure correct file ownership (CVE-2019-12447)
* admin: Allow changing file owner (CVE-2019-12447)
* admin: Add query_info_on_read/write functionality (CVE-2019-12448)
* afc: Remove assumptions about length of device UUID to support new devices
* gmountsource: Fix deadlocks in synchronous API
* afp: Fix afp backend crash when no username supplied
* Translation updates
--8<---------------cut here---------------end--------------->8---

      Mark


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: CVEs missing from the NIST database
  2021-03-12 20:27     ` Mark H Weaver
@ 2021-03-15 17:01       ` Ludovic Courtès
  2021-03-17  4:15         ` Mark H Weaver
  0 siblings, 1 reply; 5+ messages in thread
From: Ludovic Courtès @ 2021-03-15 17:01 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: guix-devel

Hi Mark,

Mark H Weaver <mhw@netris.org> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> In this case, I noticed that ‘guix lint -c cve cairo’ wouldn’t report
>> CVE-2020-35492 and found that
>> <https://nvd.nist.gov/vuln/detail/CVE-2020-35492> is 404.
>>
>> Likewise, this command:
>>
>>    wget -qO - "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz" | \
>>      gunzip | grep CVE-202-35492
>>
>> turns up nothing.
>>
>> It could be that this CVE is still “pending” (I think that happens
>> sometimes).  Do you know more about this one?
>
> I was looking in Debian's cairo package for fixes for other CVEs (namely
> the ones that "guix lint -c cve cairo" *did* report), and noticed that
> they included a fix for CVE-2020-35492.  I didn't investigate further.

OK.  It could be that it hasn’t reached the NIST database yet, as Leo
wrote.

> While we're on the subject on issues with the CVE database, or possibly
> with our linter, "guix lint -c cve" now erroneously reports:
>
> gnu/packages/gnome.scm:8434:2: gnome-shell@3.34.5: probably vulnerable to CVE-2019-3820
> gnu/packages/gnome.scm:6452:2: gvfs@1.40.2: probably vulnerable to CVE-2019-12447, CVE-2019-12448, CVE-2019-12449
>
>
> All of these are incorrect.
>
> * CVE-2019-3820 was fixed long before GNOME 3.34 came out, and I've
>   verified that the commit that fixes it is included in
>   gnome-shell-3.34.5:
>
>     commit f0a7395b3006360905ccdc642982f9fc67378927
>     Author: Ray Strode <rstrode@redhat.com>
>     Date:   Wed Jan 23 15:59:15 2019 -0500
>
>     shellActionModes: disable POPUP keybindings in unlock screen
>
> * CVE-2019-12447, CVE-2019-12448, and CVE-2019-12449 are fixed in
>   gvfs-1.40.2, according to its NEWS file:

Yes, that can happen when the CVE doesn’t list affected versions:

  https://www.openwall.com/lists/oss-security/2017/03/15/3

The solution here is to add a ‘lint-hidden-cve’ property to the package
with a comment explaining why we think these CVEs can be ignored (info
"(guix) Invoking guix lint").

Thanks,
Ludo’.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: CVEs missing from the NIST database
  2021-03-15 17:01       ` Ludovic Courtès
@ 2021-03-17  4:15         ` Mark H Weaver
  0 siblings, 0 replies; 5+ messages in thread
From: Mark H Weaver @ 2021-03-17  4:15 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

Hi Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

> Yes, that can happen when the CVE doesn’t list affected versions:
>
>   https://www.openwall.com/lists/oss-security/2017/03/15/3

Thank you for pointing out that thread, and for starting it 4 years ago.
I found it illuminating.

> The solution here is to add a ‘lint-hidden-cve’ property to the
> package with a comment explaining why we think these CVEs can be
> ignored (info "(guix) Invoking guix lint").

I've now done so for 'gnome-shell' and 'gvfs'.

    Thanks,
      Mark


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-03-17  4:17 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20210312110935.16174.44675@vcs0.savannah.gnu.org>
     [not found] ` <20210312110938.317BD20B2E@vcs0.savannah.gnu.org>
2021-03-12 15:31   ` CVEs missing from the NIST database Ludovic Courtès
2021-03-12 17:50     ` Leo Famulari
2021-03-12 20:27     ` Mark H Weaver
2021-03-15 17:01       ` Ludovic Courtès
2021-03-17  4:15         ` Mark H Weaver

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).