[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVEs missing from the NIST database
From: |
Ludovic Courtès |
Subject: |
Re: CVEs missing from the NIST database |
Date: |
Mon, 15 Mar 2021 18:01:44 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
Hi Mark,
Mark H Weaver <mhw@netris.org> skribis:
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> In this case, I noticed that ‘guix lint -c cve cairo’ wouldn’t report
>> CVE-2020-35492 and found that
>> <https://nvd.nist.gov/vuln/detail/CVE-2020-35492> is 404.
>>
>> Likewise, this command:
>>
>> wget -qO -
>> "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz" | \
>> gunzip | grep CVE-202-35492
>>
>> turns up nothing.
>>
>> It could be that this CVE is still “pending” (I think that happens
>> sometimes). Do you know more about this one?
>
> I was looking in Debian's cairo package for fixes for other CVEs (namely
> the ones that "guix lint -c cve cairo" *did* report), and noticed that
> they included a fix for CVE-2020-35492. I didn't investigate further.
OK. It could be that it hasn’t reached the NIST database yet, as Leo
wrote.
> While we're on the subject on issues with the CVE database, or possibly
> with our linter, "guix lint -c cve" now erroneously reports:
>
> gnu/packages/gnome.scm:8434:2: gnome-shell@3.34.5: probably vulnerable to
> CVE-2019-3820
> gnu/packages/gnome.scm:6452:2: gvfs@1.40.2: probably vulnerable to
> CVE-2019-12447, CVE-2019-12448, CVE-2019-12449
>
>
> All of these are incorrect.
>
> * CVE-2019-3820 was fixed long before GNOME 3.34 came out, and I've
> verified that the commit that fixes it is included in
> gnome-shell-3.34.5:
>
> commit f0a7395b3006360905ccdc642982f9fc67378927
> Author: Ray Strode <rstrode@redhat.com>
> Date: Wed Jan 23 15:59:15 2019 -0500
>
> shellActionModes: disable POPUP keybindings in unlock screen
>
> * CVE-2019-12447, CVE-2019-12448, and CVE-2019-12449 are fixed in
> gvfs-1.40.2, according to its NEWS file:
Yes, that can happen when the CVE doesn’t list affected versions:
https://www.openwall.com/lists/oss-security/2017/03/15/3
The solution here is to add a ‘lint-hidden-cve’ property to the package
with a comment explaining why we think these CVEs can be ignored (info
"(guix) Invoking guix lint").
Thanks,
Ludo’.