From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id mBarI3I4d2DvRQEAgWs5BA (envelope-from ) for ; Wed, 14 Apr 2021 20:46:10 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id KDNzHXI4d2AvKAAAB5/wlQ (envelope-from ) for ; Wed, 14 Apr 2021 18:46:10 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 202AB1713B for ; Wed, 14 Apr 2021 20:46:10 +0200 (CEST) Received: from localhost ([::1]:37646 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lWkWf-0005Gy-8I for larch@yhetil.org; Wed, 14 Apr 2021 14:46:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45184) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lWkVV-00053b-UX for guix-devel@gnu.org; Wed, 14 Apr 2021 14:44:57 -0400 Received: from mx1.dismail.de ([78.46.223.134]:9167) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lWkVS-0000je-0o for guix-devel@gnu.org; Wed, 14 Apr 2021 14:44:56 -0400 Received: from mx1.dismail.de (localhost [127.0.0.1]) by mx1.dismail.de (OpenSMTPD) with ESMTP id 08c69c6e; Wed, 14 Apr 2021 20:44:51 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h=from:to:cc :subject:references:date:in-reply-to:message-id:mime-version :content-type:content-transfer-encoding; s=20190914; bh=4e6fK6My SoGhI9XVBcbP2wPejVI6KZmro3o2Pe2DgTg=; b=BQeLDXMzl9NaFry97b2Gm9VH 2EBky+3Gq3L6d341S9P4iE+xMQsyRJDyBsNBcV8yYeP5lwHXUexFuq/f+JlWdrVW Yhq7sPi25R1UFGymxp8yeSPWtEvAoTebgUt3mcH37cM6L4bS4XrsU5kqXp21fRxP bWmIR/Il24/6JccMij4NJPRg1ZwtP1C9NDJgnztwr7RDveTaJHLnwU0V3tE8t2L8 NgTf+xEzioXtREcmzMEXLgzOwo712jzgRbrzzcGCIcFgNhcKS0utjV5f7R336v8n qnHIYE2MpgGx6BgNbh72mNw3J02pT5GekQRk7A4qV6+8RxDz01I3aFWUYJv6vg== Received: from smtp1.dismail.de ( [10.240.26.11]) by mx1.dismail.de (OpenSMTPD) with ESMTP id 7d17b9d4; Wed, 14 Apr 2021 20:44:51 +0200 (CEST) Received: from smtp1.dismail.de (localhost [127.0.0.1]) by smtp1.dismail.de (OpenSMTPD) with ESMTP id f17c6426; Wed, 14 Apr 2021 20:44:51 +0200 (CEST) Received: by dismail.de (OpenSMTPD) with ESMTPSA id 94a1da14 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Wed, 14 Apr 2021 20:44:50 +0200 (CEST) From: Joshua Branson To: =?utf-8?Q?L=C3=A9o?= Le Bouter Cc: guix-devel@gnu.org Subject: Re: Please help reviewing CVE entries References: Mail-Followup-To: =?utf-8?Q?L=C3=A9o?= Le Bouter , guix-devel@gnu.org Date: Wed, 14 Apr 2021 14:44:48 -0400 In-Reply-To: (=?utf-8?Q?=22L=C3=A9o?= Le Bouter"'s message of "Fri, 09 Apr 2021 15:04:40 +0200") Message-ID: <8735vs904f.fsf@dismail.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=78.46.223.134; envelope-from=jbranso@dismail.de; helo=mx1.dismail.de X-Spam_score_int: -42 X-Spam_score: -4.3 X-Spam_bar: ---- X-Spam_report: (-4.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_SBL_A=0.1 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1618425970; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=HtlweXgBoPYZUe+uMt0ZZN6d6Ghxi6TmBE7vKwWLtEs=; b=Oew7cp0GaDHZ4jBC31adzRXxujwqgC1d86PJYLumy5svF/ESs8ALtPW8Bd8d4Mafk8NMCc QXyTwwSB5hakQF8XbLvpgD3JLDALH/otzBzQeiaezi1lLbhplDFU2xjsYbNeMbfkLCGeT9 Nknpi3YveO21M79dg4TzWbxDeK5ksjrXsYoYFUSmt4vquLUsS7VbRSfQEKh38sNdGRitS/ i0BLieOlz9Zu3XQa6AbQ2Lo21ir2/2GE+YoRslwaMQ37y9zx93NWtJT7I7RvtFbrDlhCaz ImcWiTttBSzoyl9/IVaJ5/8tltuWjn5MnHLfk+we3EHUq8CZym9A88SJ8hYvLg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1618425970; a=rsa-sha256; cv=none; b=G+zcR5840WGkUKmc99qYzB1FxyGGWN3P50LdS4IA1eu/HV8yvrK0d7lryTSqkYk8AA7kfZ edxTf3Gs6JUX09bGUL4dNQ+Fc70+Obe3Kyk/tpffLwEPVHLEomf+8/9yLDe6NZKiPRx8Oe rWB8n/QrHG3idQk5GCSRbo0pNhcBipwQK2yI1bbYwadvl1pi6HxvXVA+ZTt+wRYIYMExPP vnTFMjDu7aUn6ddHPRRmQTJJv41do10kafqhnM0p3uX9ETGmY1rnmFN8JKuot/192i6XrE 6KQmlH/VQcdfGGgOnzu1z6dSFvYuVIulcqL+27kkh67y4TpfmPzYcWCuZi/grA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=dismail.de header.s=20190914 header.b=BQeLDXMz; dmarc=pass (policy=reject) header.from=dismail.de; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.14 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=dismail.de header.s=20190914 header.b=BQeLDXMz; dmarc=pass (policy=reject) header.from=dismail.de; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 202AB1713B X-Spam-Score: -3.14 X-Migadu-Scanner: scn0.migadu.com X-TUID: iU4ifC5/Dv/P L=C3=A9o Le Bouter writes: This is a really good write up. This could be documented in the contributing section of the manual, to give newcomers an idea of how they can help out! I'll add it to my list of guix things to do, but I'm pretty slow to do the things on that list. Maybe someone will beat me to it! > Hello! > > I have been feeling considerable amount of stress reviewing CVE entries > alone, these days I want to focus on other things and I've been feeling > held back because I abandonned the CVE entries reviewing task without > anyone doing it when I'm not here. > > Right now at time of sending this email, I've reviewed in-order up > until CVE-2021-26709 on the=20 > https://nvd.nist.gov/feeds/xml/cve/misc/nvd-rss.xml feed, I use the > 'quiterss' package as an rss reader. > > I need help, it's not necessarily a very hard task for most of it, but > it's one that requires you to be here often to read the feed. > > Once I see a CVE entry, for example: > > CVE-2021-30177 07.04.21 13:15 > There is a SQL Injection vulnerability in PHP-Nuke 8.3.3 in the User > Registration section, leading to remote code execution. This occurs > because the U.S. state is not validated to be two letters, and the > OrderBy field is not validated to be one of LASTNAME, CITY, or STATE. > > I look at the summary, here "PHP-Nuke" seems to be the software name, I > know that the PHP eco-system is not very advanced with GNU Guix > packaging so I suspect it might not be packaged since not a lot of PHP > packages exist. > > I run these commands to find out: > > $ guix search php-nuke > $ guix search php nuke > > No results, then some times GNU Guix names packages with the name of > the upstream repo rather and sometimes that's different, so I look into > the URL for the CVE entry: > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2021-30177 > > Section: References to Advisories, Solutions, and Tools > > Often the upstream repo URL is there with a commit or some times an > issue URL where we can find the upstream repo URL, in this case there's > just a PoC link: > > https://gist.github.com/stacksmasher007/41e946fc9a5a2f0b6950626cc9d43d47 > > So after that, to make sure, I do a last try with a web search for > 'PHP-Nuke' here we can find the upstream repo: > > https://bitbucket.org/phpnuke/phpnuke > > Then: > > $ guix search phpnuke > > Still no results, so we are pretty confident this doesnt exist in GNU > Guix and we can go to the next entry. > > Probably there's no need to be as rigorous and precise as this for > every CVE entry, apply your best gut to it. > > Then if you find a GNU Guix package for a CVE entry, look at the > version, figure out from available information if that version is > vulnerable, if it's vulnerable and you are certain, open a bug by > sending an email to bug-guix@gnu.org similar to these for example:=20 > https://issues.guix.gnu.org/47422 - try to include in the bug how to > fix the issue, by saying which version fixes it, or link to individual > patches or commits that can be applied (and backported if necessary) to > fix the issue. > > Then once you sent the email and got the bug id, send an email like > this to control@debbugs.gnu.org to add the 'security' tag: > > tags 47422 + security > quit > > Replace 47422 with the bug id you got. > > If you are not certain the version is vulnerable, then you can use 'may > be vulnerable' in the title and include all the details you've got so > others can pick it up, or even yourself later, so no information is > forgotten, similar to this https://issues.guix.gnu.org/47509 ; We > really don't want to forget patching a CVE. > > You can find examples of existing bugs tagged for security with: > > https://issues.guix.gnu.org/search?query=3Dtag%3Asecurity > > Also opened bugs tagged for security (definitely help tackle those as > well): > > https://issues.guix.gnu.org/search?query=3Dtag%3Asecurity+is%3Aopen > > My security bugs I opened you can also take example from: > > https://issues.guix.gnu.org/search?query=3Dtag%3Asecurity+submitter%3Alle= -bout > > Then as for patching the actual issue in the GNU Guix package set, you > must first find the amount of dependents that package has using 'guix > refresh -l pkg_name', if it's larger than 300 then you will need to > graft to fix the security issue, otherwise you can just update the > package. > > For grafts, you either have to use ABI compatible replacements like in=20 > https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3Df4dc8ac6dfa036d98= aa0990ae22268a9650899d0 > or you must apply/backport patches to the version currently packaged > in GNU Guix like in=20 > https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3D52c8d07a4f7033534= a71ac7efeec21a65d35c125 > > If you feel like you will get things wrong when backporting some patch > because you don't know the language enough or else then ask for help > and people will help with backporting ASAP. If backporting is too hard > and nobody can do it but fixing that particular security issue is > important because of the severity, then we have to negotiate cutting > corners with the rest of the GNU Guix community, for example recently > syncthing package: https://issues.guix.gnu.org/47627 - upgrade was > blocked because unvendoring was difficult on newer versions, seeing a > CVE it can be considered acceptable to not unvendor and leave things > vendored and build as-is until we can unvendor/unbundle properly later. > > If the package has less than 300 dependents then you can just upgrade > that package and submit a patch on the bug you opened earlier, if you > are a committer and that update patch is rather trivial and everything > builds and some of the dependents too then you can probably push as-is > without additional review to fix the security issue in GNU Guix ASAP. > > You can try to use: './pre-inst-env guix refresh -u pkg_name' to > automagically update the package, then use the 'etc/committer.scm' > script to generate commits then amend them with specific security fixes > markings. > > About commit messages, what I've been doing until now is: > > If the update fixes a single CVE entry and I am certain of that, append > in the title before the last period: > > [fixes CVE-2020-1234] > > If the update fixes multiple CVE entries and I know the full list of=20 > such CVE entries, append in the title before the last period: > > [security fixes] > > Then in the commit message body just below the title: > > Fixes CVE-2020-1234, CVE-2020-1235 and CVE-2020-1236. > > If I am not certain I have the full list, I use: > > Fixes at least CVE-2020-1234, CVE-2020-1235 and CVE-2020-1236. > > If I don't know the list at all or it's too time-consuming to obtain > the list I don't specify it at all and only specify '[security fixes]' > in the commit message title. > > See for examples: > > https://git.savannah.gnu.org/cgit/guix.git/log/?qt=3Dgrep&q=3Dsecurity > https://git.savannah.gnu.org/cgit/guix.git/log/?qt=3Dgrep&q=3DCVE > > Please help! > > Thank you! > --=20 Joshua Branson (joshuaBPMan in #guix) Sent from Emacs and Gnus https://gnucode.me https://video.hardlimit.com/accounts/joshua_branson/video-channels https://propernaming.org "You can have whatever you want, as long as you help enough other people get what they want." - Zig Ziglar =20=20