* Dealing with CVEs that apply to unspecified package versions @ 2017-03-06 21:36 Ludovic Courtès 2017-03-11 4:05 ` Leo Famulari 0 siblings, 1 reply; 4+ messages in thread From: Ludovic Courtès @ 2017-03-06 21:36 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 914 bytes --] Hi! A couple of weeks ago you mentioned that CVE-2016-10165 (for lcms) is not reported by ‘guix lint -c cve’. This is due to the fact that the CVE does not specify the lcms version number it applies to, and thus (guix cve) ignores it. The attached patch fixes (guix cve) to honor CVEs with an unspecified version number. Unfortunately, there’s no way to know whether such CVEs are actually fixed at a specific package version or not, and they’re not uncommon. Consequently, ‘guix lint -c cve’ would now report old CVEs that possibly no longer apply to our package versions. In the patch, I added the ability to specify a ‘patched-vulnerabilities’ property to work around that (with Coreutils as an example). The downside is that we’d have to maintain these lists by ourselves, which is not great, but might still be better than the status quo. Thoughts? Ludo’. [-- Attachment #2: Type: text/x-patch, Size: 15112 bytes --] diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index c75e03828..c84571c21 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2014 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org> ;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org> @@ -320,6 +320,7 @@ used to apply commands with arbitrarily long arguments.") (("#!/bin/sh") (format #f "#!~a/bin/sh" bash))))) %standard-phases))) + (properties '((patched-vulnerabilities "CVE-2016-2781"))) ;really? (synopsis "Core GNU utilities (file, text, shell)") (description "GNU Coreutils includes all of the basic command-line tools that are diff --git a/guix/cve.scm b/guix/cve.scm index 088e39837..771b82d05 100644 --- a/guix/cve.scm +++ b/guix/cve.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2015, 2016 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -88,9 +88,17 @@ (close-port port))))) (define %cpe-package-rx + ;; The CPE syntax as defined in the CPE 2.2 specs from + ;; <https://cpe.mitre.org/specification/2.2/cpe-specification_2.2.pdf>. + ;; ;; For applications: "cpe:/a:VENDOR:PACKAGE:VERSION", or sometimes - ;; "cpe/a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL". - (make-regexp "^cpe:/a:([^:]+):([^:]+):([^:]+)((:.+)?)")) + ;; "cpe/a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL"; in some cases, simply + ;; "cpe:/a:VENDOR:PACKAGE", meaning that the affected versions are not + ;; specified. + (make-regexp "^c[pP][eE]:/[aA]:([^:]+):(.*)")) + +(define %not-colon + (char-set-complement (char-set #\:))) (define (cpe->package-name cpe) "Converts the Common Platform Enumeration (CPE) string CPE to a package @@ -99,15 +107,17 @@ version string. Return #f and #f if CPE does not look like an application CPE string." (cond ((regexp-exec %cpe-package-rx (string-trim-both cpe)) => - (lambda (matches) - (values (match:substring matches 2) - (string-append (match:substring matches 3) - (match (match:substring matches 4) - ("" "") - (patch-level - ;; Drop the colon from things like - ;; "cpe:/a:openbsd:openssh:6.8:p1". - (string-drop patch-level 1))))))) + (lambda (rx-match) + (match (string-tokenize (match:substring rx-match 2) + %not-colon) + ((package) + ;; No version component, as in + ;; "cpe:/a:littlecms:little_cms_color_engine". + (values package 'any)) + ((package version _ ...) + ;; Ignore the "patch level" part if there is one, as in + ;; "cpe:/a:openbsd:openssh:6.8:p1". + (values package version))))) (else (values #f #f)))) @@ -119,6 +129,11 @@ applications listed in PRODUCTS, with names converted to package names: '(\"cpe:/a:gnu:libtasn1:4.7\" \"cpe:/a:gnu:libtasn1:4.6\" \"cpe:/a:gnu:cpio:2.11\")) => ((\"libtasn1\" \"4.7\" \"4.6\") (\"cpio\" \"2.11\")) " + (define (version-cons v lst) + (cond ((eq? v 'any) 'any) + ((eq? lst 'any) 'any) + (else (cons v lst)))) + (fold (lambda (product result) (let-values (((name version) (cpe->package-name product))) (if name @@ -126,10 +141,10 @@ applications listed in PRODUCTS, with names converted to package names: (((previous . versions) . tail) ;; Attempt to coalesce NAME and PREVIOUS. (if (string=? name previous) - (alist-cons name (cons version versions) tail) - (alist-cons name (list version) result))) + (alist-cons name (version-cons version versions) tail) + (alist-cons name (version-cons version '()) result))) (() - (alist-cons name (list version) result))) + (alist-cons name (version-cons version '()) result))) result))) '() (sort products string<?))) @@ -282,6 +297,8 @@ vulnerabilities affecting the given package version." (vhash-fold* (if version (lambda (pair result) (match pair + ((vuln . 'any) + (cons vuln result)) ((vuln . versions) (if (member version versions) (cons vuln result) diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm index 776e7332c..ca96b9a73 100644 --- a/guix/scripts/lint.scm +++ b/guix/scripts/lint.scm @@ -790,10 +790,15 @@ from ~s: ~a (~s)~%") (or (and=> (package-source package) origin-patches) '()))) + (patched (or (assoc-ref (package-properties package) + 'patched-vulnerabilities) + '())) (unpatched (remove (lambda (vuln) - (find (cute string-contains - <> (vulnerability-id vuln)) - patches)) + (or (member (vulnerability-id vuln) + patched) + (find (cute string-contains + <> (vulnerability-id vuln)) + patches))) vulnerabilities))) (unless (null? unpatched) (emit-warning package diff --git a/tests/cve-sample.xml b/tests/cve-sample.xml index ce158490f..78b2e302b 100644 --- a/tests/cve-sample.xml +++ b/tests/cve-sample.xml @@ -613,4 +613,68 @@ </vuln:references> <vuln:summary>The PCo agent in SAP Plant Connectivity (PCo) allows remote attackers to cause a denial of service (memory corruption and agent crash) via crafted xMII requests, aka SAP Security Note 2238619.</vuln:summary> </entry> + <entry id="CVE-2016-10165"> + <vuln:vulnerable-configuration id="http://nvd.nist.gov/"> + <cpe-lang:logical-test operator="OR" negate="false"> + <cpe-lang:fact-ref name="cpe:/a:littlecms:little_cms_color_engine"/> + </cpe-lang:logical-test> + </vuln:vulnerable-configuration> + <vuln:vulnerable-configuration id="http://nvd.nist.gov/"> + <cpe-lang:logical-test operator="OR" negate="false"> + <cpe-lang:fact-ref name="cpe:/o:debian:debian_linux:8.0"/> + </cpe-lang:logical-test> + </vuln:vulnerable-configuration> + <vuln:vulnerable-configuration id="http://nvd.nist.gov/"> + <cpe-lang:logical-test operator="OR" negate="false"> + <cpe-lang:fact-ref name="cpe:/o:novell:leap:42.1"/> + </cpe-lang:logical-test> + </vuln:vulnerable-configuration> + <vuln:vulnerable-software-list> + <vuln:product>cpe:/o:debian:debian_linux:8.0</vuln:product> + <vuln:product>cpe:/a:littlecms:little_cms_color_engine</vuln:product> + <vuln:product>cpe:/o:novell:leap:42.1</vuln:product> + </vuln:vulnerable-software-list> + <vuln:cve-id>CVE-2016-10165</vuln:cve-id> + <vuln:published-datetime>2017-02-03T14:59:00.177-05:00</vuln:published-datetime> + <vuln:last-modified-datetime>2017-02-09T10:05:10.670-05:00</vuln:last-modified-datetime> + <vuln:cvss> + <cvss:base_metrics> + <cvss:score>5.8</cvss:score> + <cvss:access-vector>NETWORK</cvss:access-vector> + <cvss:access-complexity>MEDIUM</cvss:access-complexity> + <cvss:authentication>NONE</cvss:authentication> + <cvss:confidentiality-impact>PARTIAL</cvss:confidentiality-impact> + <cvss:integrity-impact>NONE</cvss:integrity-impact> + <cvss:availability-impact>PARTIAL</cvss:availability-impact> + <cvss:source>http://nvd.nist.gov</cvss:source> + <cvss:generated-on-datetime>2017-02-08T12:23:39.653-05:00</cvss:generated-on-datetime> + </cvss:base_metrics> + </vuln:cvss> + <vuln:cwe id="CWE-125"/> + <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> + <vuln:source>SUSE</vuln:source> + <vuln:reference href="http://lists.opensuse.org/opensuse-updates/2017-01/msg00174.html" xml:lang="en">openSUSE-SU-2017:0336</vuln:reference> + </vuln:references> + <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> + <vuln:source>DEBIAN</vuln:source> + <vuln:reference href="http://www.debian.org/security/2017/dsa-3774" xml:lang="en">DSA-3774</vuln:reference> + </vuln:references> + <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> + <vuln:source>MLIST</vuln:source> + <vuln:reference href="http://www.openwall.com/lists/oss-security/2017/01/23/1" xml:lang="en">[oss-security] 20170125 Re: CVE MLIST:[oss-security] 20170123 CVE request: lcms2 heap OOB read parsing crafted ICC profile</vuln:reference> + </vuln:references> + <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> + <vuln:source>MLIST</vuln:source> + <vuln:reference href="http://www.openwall.com/lists/oss-security/2017/01/25/14" xml:lang="en">[oss-security] 20170125 Re: CVE request: lcms2 heap OOB read parsing crafted ICC profile</vuln:reference> + </vuln:references> + <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> + <vuln:source>BID</vuln:source> + <vuln:reference href="http://www.securityfocus.com/bid/95808" xml:lang="en">95808</vuln:reference> + </vuln:references> + <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> + <vuln:source>CONFIRM</vuln:source> + <vuln:reference href="https://github.com/mm2/Little-CMS/commit/5ca71a7bc18b6897ab21d815d15e218e204581e2" xml:lang="en">https://github.com/mm2/Little-CMS/commit/5ca71a7bc18b6897ab21d815d15e218e204581e2</vuln:reference> + </vuln:references> + <vuln:summary>The Type_MLU_Read function in cmstypes.c in Little CMS (aka lcms2) allows remote attackers to obtain sensitive information or cause a denial of service via an image with a crafted ICC profile, which triggers an out-of-bounds heap read.</vuln:summary> + </entry> </nvd> diff --git a/tests/cve.scm b/tests/cve.scm index 3fbb22d3c..d4d9ba5f8 100644 --- a/tests/cve.scm +++ b/tests/cve.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2015, 2016 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -31,12 +31,13 @@ ;; What we should get when reading %SAMPLE. (list ;; CVE-2003-0001 has no "/a" in its product list so it is omitted. - ;; CVE-2004-0230 lists "tcp" as an application, but lacks a version number. + (vulnerability "CVE-2004-0230" '(("tcp" . any))) (vulnerability "CVE-2008-2335" '(("phpvid" "1.2" "1.1"))) (vulnerability "CVE-2008-3522" '(("enterprise_virtualization" "3.5") ("jasper" "1.900.1"))) (vulnerability "CVE-2009-3301" '(("openoffice.org" "2.3.0" "2.2.1" "2.1.0"))) ;; CVE-2015-8330 has no software list. + (vulnerability "CVE-2016-10165" '(("little_cms_color_engine" . any))) )) \f @@ -47,17 +48,27 @@ (call-with-input-file %sample xml->vulnerabilities)) (test-equal "vulnerabilities->lookup-proc" - (list (list (first %expected-vulnerabilities)) + (list (list (second %expected-vulnerabilities)) '() '() - (list (second %expected-vulnerabilities)) - (list (third %expected-vulnerabilities))) + (list (third %expected-vulnerabilities)) + (list (fourth %expected-vulnerabilities)) + + (list (fifth %expected-vulnerabilities)) + (list (fifth %expected-vulnerabilities)) + (list (fifth %expected-vulnerabilities))) (let* ((vulns (call-with-input-file %sample xml->vulnerabilities)) (lookup (vulnerabilities->lookup-proc vulns))) (list (lookup "phpvid") (lookup "jasper" "2.0") (lookup "foobar") (lookup "jasper" "1.900.1") - (lookup "openoffice.org" "2.3.0")))) + (lookup "openoffice.org" "2.3.0") + + ;; The 'littlecms' vulnerability has no version specifier so it + ;; should always match. + (lookup "little_cms_color_engine") + (lookup "little_cms_color_engine" "1.2.3") + (lookup "little_cms_color_engine" "42")))) (test-end "cve") diff --git a/tests/lint.scm b/tests/lint.scm index 3a9b89fe9..64bbc18b5 100644 --- a/tests/lint.scm +++ b/tests/lint.scm @@ -1,7 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2012, 2013 Cyril Roelandt <tipecaml@gmail.com> ;;; Copyright © 2014, 2015, 2016 Eric Bavier <bavier@member.fsf.org> -;;; Copyright © 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2015, 2016 Mathieu Lirzin <mthl@gnu.org> ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com> ;;; @@ -598,6 +598,21 @@ (patches (list "/a/b/pi-CVE-2015-1234.patch")))))))))) +(test-assert "cve: one patched vulnerability in properties" + (mock ((guix scripts lint) package-vulnerabilities + (lambda (package) + (list (make-struct (@@ (guix cve) <vulnerability>) 0 + "CVE-2015-1234" + (list (cons (package-name package) + (package-version package))))))) + (string-null? + (with-warnings + (check-vulnerabilities + (dummy-package "pi" + (version "3.14") + (properties + '((patched-vulnerabilities "CVE-2015-1234"))))))))) + (test-assert "cve: vulnerability fixed in replacement version" (mock ((guix scripts lint) package-vulnerabilities (lambda (package) ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: Dealing with CVEs that apply to unspecified package versions 2017-03-06 21:36 Dealing with CVEs that apply to unspecified package versions Ludovic Courtès @ 2017-03-11 4:05 ` Leo Famulari 2017-03-11 11:09 ` Ludovic Courtès 0 siblings, 1 reply; 4+ messages in thread From: Leo Famulari @ 2017-03-11 4:05 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 1781 bytes --] On Mon, Mar 06, 2017 at 10:36:48PM +0100, Ludovic Courtès wrote: > Unfortunately, there’s no way to know whether such CVEs are actually > fixed at a specific package version or not, and they’re not uncommon. > Consequently, ‘guix lint -c cve’ would now report old CVEs that possibly > no longer apply to our package versions. I didn't notice any change in what the CVE checker reports after applying the diff. Did I miss a step? > In the patch, I added the ability to specify a ‘patched-vulnerabilities’ > property to work around that (with Coreutils as an example). The > downside is that we’d have to maintain these lists by ourselves, which > is not great, but might still be better than the status quo. Overall, I think it's better for the CVE checker to omit some CVEs than to show a large number of false positives. Otherwise people may not pay attention to it at all. And the CVE checker will never be authoritative; Guix developers have to look for security advisories from a wide variety of sources. I wonder if we could maintain the set 'patched-vulnerabilities' fields satisfactorily. Changing the subject, this implementation of 'patched-vulnerabilities' doesn't preserve the valuable information of how we know the vulnerability was fixed (patch? update? only applicable to non-GNU platforms? et cetera). If we were to start collecting and curating this information, we should try to preserve it and make it useful to the other distros. In that case, we could instead update the CVE database through MITRE's new CVE form, which recently became the only way to get new CVEs from MITRE: https://cveform.mitre.org I think the goal is to reduce the friction of requesting and amending CVEs. Let's try it :) [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Dealing with CVEs that apply to unspecified package versions 2017-03-11 4:05 ` Leo Famulari @ 2017-03-11 11:09 ` Ludovic Courtès 2017-03-16 10:07 ` Ludovic Courtès 0 siblings, 1 reply; 4+ messages in thread From: Ludovic Courtès @ 2017-03-11 11:09 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 615 bytes --] Leo Famulari <leo@famulari.name> skribis: > On Mon, Mar 06, 2017 at 10:36:48PM +0100, Ludovic Courtès wrote: >> Unfortunately, there’s no way to know whether such CVEs are actually >> fixed at a specific package version or not, and they’re not uncommon. >> Consequently, ‘guix lint -c cve’ would now report old CVEs that possibly >> no longer apply to our package versions. > > I didn't notice any change in what the CVE checker reports after > applying the diff. Did I miss a step? You need to first clear your cache: rm -rf ~/.cache/guix/cve Here’s the before/after diff I get: [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: Type: text/x-patch, Size: 6180 bytes --] --- /home/ludo/src/guix/cve-before.txt 2017-03-11 12:01:57.908151863 +0100 +++ /home/ludo/src/guix/cve-after.txt 2017-03-11 12:04:24.283399193 +0100 @@ -1,20 +1,42 @@ +gnu/packages/tls.scm:218:2: gnutls@3.5.8: probably vulnerable to CVE-2014-3467, CVE-2014-3468, CVE-2014-3469 gnu/packages/backup.scm:186:2: libarchive@3.2.1: probably vulnerable to CVE-2016-8687, CVE-2016-8688, CVE-2016-8689 -gnu/packages/base.scm:754:2: glibc@2.23: probably vulnerable to CVE-2016-3075, CVE-2016-5417 -gnu/packages/base.scm:502:2: glibc@2.24: probably vulnerable to CVE-2016-6323 -gnu/packages/base.scm:788:2: glibc@2.21: probably vulnerable to CVE-2015-1781, CVE-2015-7547, CVE-2014-7817, CVE-2014-8121 +gnu/packages/base.scm:278:2: coreutils@8.25: probably vulnerable to CVE-2014-9471 +gnu/packages/base.scm:767:2: glibc@2.22: probably vulnerable to CVE-2016-3706, CVE-2016-4429, CVE-2015-7547, CVE-2015-8776, CVE-2015-8777, CVE-2015-8778, CVE-2015-8779, CVE-2014-5119, CVE-2014-9761 +gnu/packages/base.scm:789:2: glibc@2.21: probably vulnerable to CVE-2016-3706, CVE-2016-4429, CVE-2015-1781, CVE-2015-7547, CVE-2014-5119, CVE-2014-7817, CVE-2014-8121 gnu/packages/base.scm:155:2: tar@1.29: probably vulnerable to CVE-2016-6321 -gnu/packages/base.scm:766:2: glibc@2.22: probably vulnerable to CVE-2015-7547, CVE-2015-8776, CVE-2015-8777, CVE-2015-8778, CVE-2015-8779, CVE-2014-9761 +gnu/packages/base.scm:503:2: glibc@2.24: probably vulnerable to CVE-2016-3706, CVE-2016-4429, CVE-2016-6323, CVE-2014-5119 +gnu/packages/base.scm:755:2: glibc@2.23: probably vulnerable to CVE-2016-3075, CVE-2016-3706, CVE-2016-4429, CVE-2016-5417, CVE-2014-5119 +gnu/packages/bash.scm:269:2: bash@4.4.A: probably vulnerable to CVE-2016-9401 +gnu/packages/busybox.scm:31:2: busybox@1.26.0: probably vulnerable to CVE-2016-6301 gnu/packages/compression.scm:210:4: bzip2@1.0.6: probably vulnerable to CVE-2016-3189 -gnu/packages/image.scm:296:2: libtiff@4.0.7: probably vulnerable to CVE-2017-5563, CVE-2016-10095 -gnu/packages/image.scm:487:2: openjpeg@2.1.2: probably vulnerable to CVE-2016-9112, CVE-2016-9113, CVE-2016-9114, CVE-2016-9115, CVE-2016-9116, CVE-2016-9117, CVE-2016-9118 +gnu/packages/databases.scm:329:2: mariadb@10.1.21: probably vulnerable to CVE-2016-6664 +gnu/packages/databases.scm:720:2: sqlite@3.15.1: probably vulnerable to CVE-2015-3717 +gnu/packages/databases.scm:254:2: mysql@5.7.17: probably vulnerable to CVE-2014-0001 +gnu/packages/databases.scm:666:2: sqlite@3.14.1: probably vulnerable to CVE-2015-3717 +gnu/packages/gcc.scm:410:2: libiberty@4.9.4: probably vulnerable to CVE-2016-2226, CVE-2016-4487, CVE-2016-4488, CVE-2016-4489, CVE-2016-4490, CVE-2016-4491, CVE-2016-4492, CVE-2016-4493 +gnu/packages/ghostscript.scm:64:2: lcms@2.6: probably vulnerable to CVE-2016-10165 +gnu/packages/gnome.scm:5393:4: byzanz@0.2-1.f7af3a5: probably vulnerable to CVE-2015-2785 +gnu/packages/gstreamer.scm:99:2: gstreamer@1.10.4: probably vulnerable to CVE-2017-5847, CVE-2017-5848, CVE-2016-9446 +gnu/packages/image.scm:487:2: openjpeg@2.1.2: probably vulnerable to CVE-2016-7163, CVE-2016-9112, CVE-2016-9113, CVE-2016-9114, CVE-2016-9115, CVE-2016-9116, CVE-2016-9117, CVE-2016-9118, CVE-2016-9675 +gnu/packages/image.scm:296:2: libtiff@4.0.7: probably vulnerable to CVE-2017-5563, CVE-2016-10095, CVE-2016-9453, CVE-2015-8781, CVE-2015-8782, CVE-2015-8783, CVE-2015-8784 +gnu/packages/image.scm:505:2: openjpeg@1.5.2: probably vulnerable to CVE-2016-7163, CVE-2016-9675 +gnu/packages/linux.scm:3063:2: ecryptfs-utils@111: probably vulnerable to CVE-2016-1572 +gnu/packages/lynx.scm:35:2: lynx@2.8.9dev.11: probably vulnerable to CVE-2016-9179 gnu/packages/mail.scm:1081:2: dovecot@2.2.27: probably vulnerable to CVE-2016-8652 gnu/packages/monitoring.scm:34:2: nagios@4.2.4: probably vulnerable to CVE-2016-10089 gnu/packages/mp3.scm:231:2: libmp3splt@0.9.2: probably vulnerable to CVE-2017-5665 gnu/packages/mp3.scm:264:2: mp3splt@2.6.2: probably vulnerable to CVE-2017-5666, CVE-2017-5851 +gnu/packages/openldap.scm:36:2: openldap@2.4.44: probably vulnerable to CVE-2015-3276 gnu/packages/perl.scm:50:2: perl@5.24.0: probably vulnerable to CVE-2016-1238 -gnu/packages/php.scm:65:2: php@7.0.14: probably vulnerable to CVE-2017-5340, CVE-2016-10158, CVE-2016-10159, CVE-2016-10160, CVE-2016-10161, CVE-2016-10162, CVE-2016-7479 +gnu/packages/php.scm:65:2: php@7.0.14: probably vulnerable to CVE-2017-5340, CVE-2016-10158, CVE-2016-10159, CVE-2016-10160, CVE-2016-10161, CVE-2016-10162, CVE-2016-7479, CVE-2014-5459 +gnu/packages/polkit.scm:42:2: polkit@0.113: probably vulnerable to CVE-2016-2568 +gnu/packages/pulseaudio.scm:43:2: libsndfile@1.0.26: probably vulnerable to CVE-2014-9496, CVE-2014-9756 +gnu/packages/qemu.scm:70:2: qemu@2.8.0: probably vulnerable to CVE-2016-10028, CVE-2016-10029, CVE-2016-1922, CVE-2016-1981, CVE-2016-2197, CVE-2016-2198, CVE-2016-7161, CVE-2016-7907, CVE-2016-7908, CVE-2016-7909, CVE-2016-9381, CVE-2016-9776, CVE-2016-9845, CVE-2016-9846, CVE-2016-9913, CVE-2016-9914, CVE-2016-9915, CVE-2016-9916, CVE-2015-8701, CVE-2015-8743, CVE-2015-8744, CVE-2015-8745, CVE-2015-8818 +gnu/packages/ssh.scm:113:2: openssh@7.4p1: probably vulnerable to CVE-2014-1692 +gnu/packages/tls.scm:218:2: gnutls@3.5.8: probably vulnerable to CVE-2014-3467, CVE-2014-3468, CVE-2014-3469 gnu/packages/web.scm:3627:2: jq@1.5: probably vulnerable to CVE-2016-4074 gnu/packages/wget.scm:34:2: wget@1.19.1: probably vulnerable to CVE-2017-6508 -gnu/packages/xml.scm:106:2: libxml2@2.9.4: probably vulnerable to CVE-2016-9318 -gnu/packages/zip.scm:75:2: unzip@6.0: probably vulnerable to CVE-2016-9844, CVE-2014-9913 +gnu/packages/xml.scm:170:2: libxslt@1.1.29: probably vulnerable to CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, CVE-2016-4610, CVE-2016-4612 +gnu/packages/xml.scm:106:2: libxml2@2.9.4: probably vulnerable to CVE-2016-2073, CVE-2016-4448, CVE-2016-9318, CVE-2015-8710 gnu/packages/zip.scm:127:2: zziplib@0.13.62: probably vulnerable to CVE-2017-5974, CVE-2017-5975, CVE-2017-5976, CVE-2017-5977, CVE-2017-5978, CVE-2017-5979, CVE-2017-5980, CVE-2017-5981 +gnu/packages/zip.scm:75:2: unzip@6.0: probably vulnerable to CVE-2016-9844, CVE-2014-9913 [-- Attachment #3: Type: text/plain, Size: 1838 bytes --] So that ~30 or so additional CVEs that we’d need to look at. >> In the patch, I added the ability to specify a ‘patched-vulnerabilities’ >> property to work around that (with Coreutils as an example). The >> downside is that we’d have to maintain these lists by ourselves, which >> is not great, but might still be better than the status quo. > > Overall, I think it's better for the CVE checker to omit some CVEs than > to show a large number of false positives. Otherwise people may not pay > attention to it at all. And the CVE checker will never be authoritative; > Guix developers have to look for security advisories from a wide variety > of sources. > > I wonder if we could maintain the set 'patched-vulnerabilities' fields > satisfactorily. > > Changing the subject, this implementation of 'patched-vulnerabilities' > doesn't preserve the valuable information of how we know the > vulnerability was fixed (patch? update? only applicable to non-GNU > platforms? et cetera). > > If we were to start collecting and curating this information, we should > try to preserve it and make it useful to the other distros. Right, we’d need to add a clear comment to each vulnerability that we mark as patched. > In that case, we could instead update the CVE database through MITRE's > new CVE form, which recently became the only way to get new CVEs from > MITRE: > > https://cveform.mitre.org > > I think the goal is to reduce the friction of requesting and amending > CVEs. Let's try it :) Yes, that’s what I thought. But either way, that’s quite a bit of non-trivial work. What about raising the issue on oss-sec? Ideally the QEMU folks would take care of labeling QEMU’s CVEs, the libxml2 folks would take care of theirs, etc. Thanks for your feedback! Ludo’. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Dealing with CVEs that apply to unspecified package versions 2017-03-11 11:09 ` Ludovic Courtès @ 2017-03-16 10:07 ` Ludovic Courtès 0 siblings, 0 replies; 4+ messages in thread From: Ludovic Courtès @ 2017-03-16 10:07 UTC (permalink / raw) To: guix-devel ludo@gnu.org (Ludovic Courtès) skribis: > What about raising the issue on oss-sec? Ideally the QEMU folks would > take care of labeling QEMU’s CVEs, the libxml2 folks would take care of > theirs, etc. For the record I followed up on this discussion on oss-sec: http://www.openwall.com/lists/oss-security/2017/03/15/3 Ludo’. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-03-16 10:08 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-03-06 21:36 Dealing with CVEs that apply to unspecified package versions Ludovic Courtès 2017-03-11 4:05 ` Leo Famulari 2017-03-11 11:09 ` Ludovic Courtès 2017-03-16 10:07 ` Ludovic Courtès
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.