guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVEs missing from the NIST database

From: Ludovic Courtès
Subject: Re: CVEs missing from the NIST database
Date: Mon, 15 Mar 2021 18:01:44 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) 
Hi Mark,

Mark H Weaver <mhw@netris.org> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> In this case, I noticed that ‘guix lint -c cve cairo’ wouldn’t report
>> CVE-2020-35492 and found that
>> <https://nvd.nist.gov/vuln/detail/CVE-2020-35492> is 404.
>>
>> Likewise, this command:
>>
>>    wget -qO - 
>> "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz"; | \
>>      gunzip | grep CVE-202-35492
>>
>> turns up nothing.
>>
>> It could be that this CVE is still “pending” (I think that happens
>> sometimes).  Do you know more about this one?
>
> I was looking in Debian's cairo package for fixes for other CVEs (namely
> the ones that "guix lint -c cve cairo" *did* report), and noticed that
> they included a fix for CVE-2020-35492.  I didn't investigate further.

OK.  It could be that it hasn’t reached the NIST database yet, as Leo
wrote.

> While we're on the subject on issues with the CVE database, or possibly
> with our linter, "guix lint -c cve" now erroneously reports:
>
> gnu/packages/gnome.scm:8434:2: gnome-shell@3.34.5: probably vulnerable to 
> CVE-2019-3820
> gnu/packages/gnome.scm:6452:2: gvfs@1.40.2: probably vulnerable to 
> CVE-2019-12447, CVE-2019-12448, CVE-2019-12449
>
>
> All of these are incorrect.
>
> * CVE-2019-3820 was fixed long before GNOME 3.34 came out, and I've
>   verified that the commit that fixes it is included in
>   gnome-shell-3.34.5:
>
>     commit f0a7395b3006360905ccdc642982f9fc67378927
>     Author: Ray Strode <rstrode@redhat.com>
>     Date:   Wed Jan 23 15:59:15 2019 -0500
>
>     shellActionModes: disable POPUP keybindings in unlock screen
>
> * CVE-2019-12447, CVE-2019-12448, and CVE-2019-12449 are fixed in
>   gvfs-1.40.2, according to its NEWS file:

Yes, that can happen when the CVE doesn’t list affected versions:

  https://www.openwall.com/lists/oss-security/2017/03/15/3

The solution here is to add a ‘lint-hidden-cve’ property to the package
with a comment explaining why we think these CVEs can be ignored (info
"(guix) Invoking guix lint").

Thanks,
Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]