CVEs missing from the NIST database

CVEs missing from the NIST database

[Ludovic Courtès]

Hi Mark,

guix-commits@gnu.org skribis:

> commit bc16eacc99e801ac30cbe2aa649a2be3ca5c102a
> Author: Mark H Weaver <mhw@netris.org>
> AuthorDate: Fri Mar 12 05:24:36 2021 -0500
>
>     gnu: cairo: Fix CVE-2018-19876 and CVE-2020-35492.
>     
>     * gnu/packages/patches/cairo-CVE-2018-19876.patch,
>     gnu/packages/patches/cairo-CVE-2020-35492.patch: New files.
>     * gnu/local.mk (dist_patch_DATA): Add them.
>     * gnu/packages/gtk.scm (cairo)[replacement]: New field.
>     (cairo/fixed): New variable.
>     (cairo-xcb): Use package/inherit.

Since there are lot of CVEs getting fixed in Guix these days (thanks
folks!), I’m trying to see how helpful (guix cve) is for those.

In this case, I noticed that ‘guix lint -c cve cairo’ wouldn’t report
CVE-2020-35492 and found that
<https://nvd.nist.gov/vuln/detail/CVE-2020-35492> is 404.

Likewise, this command:

   wget -qO - "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz" | \
     gunzip | grep CVE-202-35492

turns up nothing.

It could be that this CVE is still “pending” (I think that happens
sometimes).  Do you know more about this one?

Thanks,
Ludo’.

Re: CVEs missing from the NIST database

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 659 bytes --]

On Fri, Mar 12, 2021 at 04:31:59PM +0100, Ludovic Courtès wrote:
> It could be that this CVE is still “pending” (I think that happens
> sometimes).  Do you know more about this one?

I found some references from other distros:

https://access.redhat.com/security/cve/cve-2020-35492
https://security-tracker.debian.org/tracker/CVE-2020-35492

... and the upstream bug report:

https://gitlab.freedesktop.org/cairo/cairo/-/issues/437

My impression of the process around reporting and registering CVE IDs is
that it's somewhat decentralized now, so there can be lack of
coordination between reporters and "canonical" authorities like NIST.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: CVEs missing from the NIST database

[Mark H Weaver]

Hi Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

> In this case, I noticed that ‘guix lint -c cve cairo’ wouldn’t report
> CVE-2020-35492 and found that
> <https://nvd.nist.gov/vuln/detail/CVE-2020-35492> is 404.
>
> Likewise, this command:
>
>    wget -qO - "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz" | \
>      gunzip | grep CVE-202-35492
>
> turns up nothing.
>
> It could be that this CVE is still “pending” (I think that happens
> sometimes).  Do you know more about this one?

I was looking in Debian's cairo package for fixes for other CVEs (namely
the ones that "guix lint -c cve cairo" *did* report), and noticed that
they included a fix for CVE-2020-35492.  I didn't investigate further.

While we're on the subject on issues with the CVE database, or possibly
with our linter, "guix lint -c cve" now erroneously reports:

--8<---------------cut here---------------start------------->8---
gnu/packages/gnome.scm:8434:2: gnome-shell@3.34.5: probably vulnerable to CVE-2019-3820
gnu/packages/gnome.scm:6452:2: gvfs@1.40.2: probably vulnerable to CVE-2019-12447, CVE-2019-12448, CVE-2019-12449
--8<---------------cut here---------------end--------------->8---

All of these are incorrect.

* CVE-2019-3820 was fixed long before GNOME 3.34 came out, and I've
  verified that the commit that fixes it is included in
  gnome-shell-3.34.5:

    commit f0a7395b3006360905ccdc642982f9fc67378927
    Author: Ray Strode <rstrode@redhat.com>
    Date:   Wed Jan 23 15:59:15 2019 -0500

    shellActionModes: disable POPUP keybindings in unlock screen

* CVE-2019-12447, CVE-2019-12448, and CVE-2019-12449 are fixed in
  gvfs-1.40.2, according to its NEWS file:

--8<---------------cut here---------------start------------->8---
Major changes in 1.40.2
=======================
* daemon: Only accept EXTERNAL authentication (CVE-2019-12795)
* daemon: Check that the connecting client is the same user (CVE-2019-12795)
* admin: Ensure correct ownership when moving to file:// uri (CVE-2019-12449)
* admin: Use fsuid to ensure correct file ownership (CVE-2019-12447)
* admin: Allow changing file owner (CVE-2019-12447)
* admin: Add query_info_on_read/write functionality (CVE-2019-12448)
* afc: Remove assumptions about length of device UUID to support new devices
* gmountsource: Fix deadlocks in synchronous API
* afp: Fix afp backend crash when no username supplied
* Translation updates
--8<---------------cut here---------------end--------------->8---

      Mark

Re: CVEs missing from the NIST database

[Ludovic Courtès]

Hi Mark,

Mark H Weaver <mhw@netris.org> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> In this case, I noticed that ‘guix lint -c cve cairo’ wouldn’t report
>> CVE-2020-35492 and found that
>> <https://nvd.nist.gov/vuln/detail/CVE-2020-35492> is 404.
>>
>> Likewise, this command:
>>
>>    wget -qO - "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz" | \
>>      gunzip | grep CVE-202-35492
>>
>> turns up nothing.
>>
>> It could be that this CVE is still “pending” (I think that happens
>> sometimes).  Do you know more about this one?
>
> I was looking in Debian's cairo package for fixes for other CVEs (namely
> the ones that "guix lint -c cve cairo" *did* report), and noticed that
> they included a fix for CVE-2020-35492.  I didn't investigate further.

OK.  It could be that it hasn’t reached the NIST database yet, as Leo
wrote.

> While we're on the subject on issues with the CVE database, or possibly
> with our linter, "guix lint -c cve" now erroneously reports:
>
> gnu/packages/gnome.scm:8434:2: gnome-shell@3.34.5: probably vulnerable to CVE-2019-3820
> gnu/packages/gnome.scm:6452:2: gvfs@1.40.2: probably vulnerable to CVE-2019-12447, CVE-2019-12448, CVE-2019-12449
>
>
> All of these are incorrect.
>
> * CVE-2019-3820 was fixed long before GNOME 3.34 came out, and I've
>   verified that the commit that fixes it is included in
>   gnome-shell-3.34.5:
>
>     commit f0a7395b3006360905ccdc642982f9fc67378927
>     Author: Ray Strode <rstrode@redhat.com>
>     Date:   Wed Jan 23 15:59:15 2019 -0500
>
>     shellActionModes: disable POPUP keybindings in unlock screen
>
> * CVE-2019-12447, CVE-2019-12448, and CVE-2019-12449 are fixed in
>   gvfs-1.40.2, according to its NEWS file:

Yes, that can happen when the CVE doesn’t list affected versions:

  https://www.openwall.com/lists/oss-security/2017/03/15/3

The solution here is to add a ‘lint-hidden-cve’ property to the package
with a comment explaining why we think these CVEs can be ignored (info
"(guix) Invoking guix lint").

Thanks,
Ludo’.

Re: CVEs missing from the NIST database

[Mark H Weaver]

Hi Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

> Yes, that can happen when the CVE doesn’t list affected versions:
>
>   https://www.openwall.com/lists/oss-security/2017/03/15/3

Thank you for pointing out that thread, and for starting it 4 years ago.
I found it illuminating.

> The solution here is to add a ‘lint-hidden-cve’ property to the
> package with a comment explaining why we think these CVEs can be
> ignored (info "(guix) Invoking guix lint").

I've now done so for 'gnome-shell' and 'gvfs'.

    Thanks,
      Mark