From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id wBoGLgBRcGDw0QAAgWs5BA (envelope-from ) for ; Fri, 09 Apr 2021 15:05:04 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id iFzpJwBRcGD/QAAAB5/wlQ (envelope-from ) for ; Fri, 09 Apr 2021 13:05:04 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B793C2C935 for ; Fri, 9 Apr 2021 15:05:03 +0200 (CEST) Received: from localhost ([::1]:43042 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lUqoo-0005GI-GK for larch@yhetil.org; Fri, 09 Apr 2021 09:05:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57576) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUqod-0005G8-HH for guix-devel@gnu.org; Fri, 09 Apr 2021 09:04:51 -0400 Received: from mail.zaclys.net ([178.33.93.72]:37523) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUqoa-0008Ev-4W for guix-devel@gnu.org; Fri, 09 Apr 2021 09:04:51 -0400 Received: from [192.168.1.115] (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 139D4jEu054126 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 9 Apr 2021 15:04:46 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 139D4jEu054126 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617973486; bh=tzX3vJZ+qFtHghL3sCvEokjZdoXc1iZCg4tVFtIj1zY=; h=Subject:From:To:Date:From; b=a0lz2UYDeiCjXKsbl8TVX+W+g1RlgbsBVnA7XSVN/QX4VFzy4pZw2wCGQjBPDgyKq 8frvEHNjY5ecW5tG2/6l+WQPDbwgSL4TeYSwcim+rf4Ml+MZ7B6svQEXXEIuvniaEF kkPlDBb3h5E3m42acIlznod0GkZXSSapyEHLnu5E= Message-ID: Subject: Please help reviewing CVE entries From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: guix-devel@gnu.org Date: Fri, 09 Apr 2021 15:04:40 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-XJ/r51Ba08Fw9u5w/cz9" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -19 X-Spam_score: -2.0 X-Spam_bar: -- X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_SBL_A=0.1 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617973503; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=tzX3vJZ+qFtHghL3sCvEokjZdoXc1iZCg4tVFtIj1zY=; b=b4msrZSJvplExKWofXbDjgerIAfPTml1pXfdTI8guquqbjibWM8mbvRTnib3y75EPwGCqL 2K1bW9aAES5zxuz/0j6TAupVMsuRnchncxNlwacKwp56tm7EXZCGIMFU30Sz1SKXCyZb2r TlyvsEe5NUPWwFi98jzOWy+eIhBeDI7yr79YsNdZCDq9+o3PWkBYSsCJh1UHgV/LhKU6W5 znAwe0PLmYeNE95Rm4djbS9JGx5Ylg2vvy2PBDd+BICFtEgrVhmwsCcWhJii8JmKAeshHC MSx90PpXlVpQ/s3wTe0l2NWxw9C7/ZjMxlNjWpAF+7wCvY8znwzVsbfxhwiq+Q== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617973503; a=rsa-sha256; cv=none; b=sgvImUZrJJD9B/djpNzY9WpJe9qde4YzIR0S2JXp7toij5NRUGvm5CDUL5vwFL1C/BrMcU yPT8gX3tqc4GEUCHYwsmE0A8nR6purKKo+z4JDbyqddJZ/SzPWnDzTyEDuYMebiaHlSYkF 9zesV6FkGmRLR1xPQ6U+rUpRCuIIzRozBj9/kKJWZBAKC461JQq2P+WBQ5riun0hidOIrf qOmTDPNp0sUeNLH4e8c1nYu4QDnpZp08h5Yhi1VWio1rLZNnnGzgEKGloqcIGla2pajA38 CcQISJFkUuZPnItL3yySvJj9am8X7rUt6x1f5K0VCZjDEqREH5c+dfkCPKnd0A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=a0lz2UYD; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.24 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=a0lz2UYD; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: B793C2C935 X-Spam-Score: -5.24 X-Migadu-Scanner: scn0.migadu.com X-TUID: LmGWq0imIWRS --=-XJ/r51Ba08Fw9u5w/cz9 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello! I have been feeling considerable amount of stress reviewing CVE entries alone, these days I want to focus on other things and I've been feeling held back because I abandonned the CVE entries reviewing task without anyone doing it when I'm not here. Right now at time of sending this email, I've reviewed in-order up until CVE-2021-26709 on the=20 https://nvd.nist.gov/feeds/xml/cve/misc/nvd-rss.xml feed, I use the 'quiterss' package as an rss reader. I need help, it's not necessarily a very hard task for most of it, but it's one that requires you to be here often to read the feed. Once I see a CVE entry, for example: CVE-2021-30177 07.04.21 13:15 There is a SQL Injection vulnerability in PHP-Nuke 8.3.3 in the User Registration section, leading to remote code execution. This occurs because the U.S. state is not validated to be two letters, and the OrderBy field is not validated to be one of LASTNAME, CITY, or STATE. I look at the summary, here "PHP-Nuke" seems to be the software name, I know that the PHP eco-system is not very advanced with GNU Guix packaging so I suspect it might not be packaged since not a lot of PHP packages exist. I run these commands to find out: $ guix search php-nuke $ guix search php nuke No results, then some times GNU Guix names packages with the name of the upstream repo rather and sometimes that's different, so I look into the URL for the CVE entry: https://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2021-30177 Section: References to Advisories, Solutions, and Tools Often the upstream repo URL is there with a commit or some times an issue URL where we can find the upstream repo URL, in this case there's just a PoC link: https://gist.github.com/stacksmasher007/41e946fc9a5a2f0b6950626cc9d43d47 So after that, to make sure, I do a last try with a web search for 'PHP-Nuke' here we can find the upstream repo: https://bitbucket.org/phpnuke/phpnuke Then: $ guix search phpnuke Still no results, so we are pretty confident this doesnt exist in GNU Guix and we can go to the next entry. Probably there's no need to be as rigorous and precise as this for every CVE entry, apply your best gut to it. Then if you find a GNU Guix package for a CVE entry, look at the version, figure out from available information if that version is vulnerable, if it's vulnerable and you are certain, open a bug by sending an email to bug-guix@gnu.org similar to these for example:=20 https://issues.guix.gnu.org/47422 - try to include in the bug how to fix the issue, by saying which version fixes it, or link to individual patches or commits that can be applied (and backported if necessary) to fix the issue. Then once you sent the email and got the bug id, send an email like this to control@debbugs.gnu.org to add the 'security' tag: tags 47422 + security quit Replace 47422 with the bug id you got. If you are not certain the version is vulnerable, then you can use 'may be vulnerable' in the title and include all the details you've got so others can pick it up, or even yourself later, so no information is forgotten, similar to this https://issues.guix.gnu.org/47509 ; We really don't want to forget patching a CVE. You can find examples of existing bugs tagged for security with: https://issues.guix.gnu.org/search?query=3Dtag%3Asecurity Also opened bugs tagged for security (definitely help tackle those as well): https://issues.guix.gnu.org/search?query=3Dtag%3Asecurity+is%3Aopen My security bugs I opened you can also take example from: https://issues.guix.gnu.org/search?query=3Dtag%3Asecurity+submitter%3Alle-b= out Then as for patching the actual issue in the GNU Guix package set, you must first find the amount of dependents that package has using 'guix refresh -l pkg_name', if it's larger than 300 then you will need to graft to fix the security issue, otherwise you can just update the package. For grafts, you either have to use ABI compatible replacements like in=20 https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3Df4dc8ac6dfa036d98aa= 0990ae22268a9650899d0 or you must apply/backport patches to the version cur= rently packaged in GNU Guix like in=20 https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3D52c8d07a4f7033534a7= 1ac7efeec21a65d35c125 If you feel like you will get things wrong when backporting some patch because you don't know the language enough or else then ask for help and people will help with backporting ASAP. If backporting is too hard and nobody can do it but fixing that particular security issue is important because of the severity, then we have to negotiate cutting corners with the rest of the GNU Guix community, for example recently syncthing package: https://issues.guix.gnu.org/47627 - upgrade was blocked because unvendoring was difficult on newer versions, seeing a CVE it can be considered acceptable to not unvendor and leave things vendored and build as-is until we can unvendor/unbundle properly later. If the package has less than 300 dependents then you can just upgrade that package and submit a patch on the bug you opened earlier, if you are a committer and that update patch is rather trivial and everything builds and some of the dependents too then you can probably push as-is without additional review to fix the security issue in GNU Guix ASAP. You can try to use: './pre-inst-env guix refresh -u pkg_name' to automagically update the package, then use the 'etc/committer.scm' script to generate commits then amend them with specific security fixes markings. About commit messages, what I've been doing until now is: If the update fixes a single CVE entry and I am certain of that, append in the title before the last period: [fixes CVE-2020-1234] If the update fixes multiple CVE entries and I know the full list of=20 such CVE entries, append in the title before the last period: [security fixes] Then in the commit message body just below the title: Fixes CVE-2020-1234, CVE-2020-1235 and CVE-2020-1236. If I am not certain I have the full list, I use: Fixes at least CVE-2020-1234, CVE-2020-1235 and CVE-2020-1236. If I don't know the list at all or it's too time-consuming to obtain the list I don't specify it at all and only specify '[security fixes]' in the commit message title. See for examples: https://git.savannah.gnu.org/cgit/guix.git/log/?qt=3Dgrep&q=3Dsecurity https://git.savannah.gnu.org/cgit/guix.git/log/?qt=3Dgrep&q=3DCVE Please help! Thank you! --=-XJ/r51Ba08Fw9u5w/cz9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBwUOgACgkQRaix6GvN EKZdTg/+M/dv3vTAx32ZBvYGi7UYmfoyLHztdy2+yjueKISFx1MzSN2mcvniHLk0 ks0DQjrn/fec6Em5FGbg8p3H6SpIppmWnU8+66EKo3BSIRdQcgEZb5cxHw06JxB/ CVMDmtWZISAowHPnUNPyKTKQ2p48FqCsTsHrxogUGaFCcZNMMEjH1Gg1DciHfvqj +0ntWtKqZ90BIwyGbcqtX18Pagy/qdLxBM4wBwb8UoW6WI0qWLfODN8lMEm8wdSI AozdqWuwQXi5gEKjrnAYQkHdGc+sAlISC2aTfyvqZVfe9QTgFFWKq6lZIDE6kd/Y DeQlz53+1q5xflFB4kJ7gLS2rGaVYl8zZOVgC5LPxtXnhDEeghydNEGAjm/bgmFU x2//XZsUVlGjOdNGd+yuXXcIgnCujb3CpC8NYMv07B1vqouWTLFFo6VDE6eTpjG7 MQUJPxdeDXpdfwGbh9nRCf8wXFAzpPx/8wOm9Cf29Tt/3arSnD7xwwvB+BDBXEO5 YPzHK3IatdN3tbSGyAfv5XhDZkzDboY+p5XCpzJdyZWEwDrk43VtnKQvNREgUCu8 GjoEMcowCGVBhiNmUD1Rm16EL8NxAi5Q566GFEv4E3XmKTEJYuhm4giFfSG+aaya XYHshS8xK1VY0DsHlsjY8rQic5tg+7Tl4ET4Wm9BZ0N3pUhQZTg= =VWDZ -----END PGP SIGNATURE----- --=-XJ/r51Ba08Fw9u5w/cz9--