[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVEs missing from the NIST database

From: Ludovic Courtès
Subject: Re: CVEs missing from the NIST database
Date: Mon, 15 Mar 2021 18:01:44 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

Hi Mark,

Mark H Weaver <> skribis:

> Ludovic Courtès <> writes:
>> In this case, I noticed that ‘guix lint -c cve cairo’ wouldn’t report
>> CVE-2020-35492 and found that
>> <> is 404.
>> Likewise, this command:
>>    wget -qO - 
>> ""; | \
>>      gunzip | grep CVE-202-35492
>> turns up nothing.
>> It could be that this CVE is still “pending” (I think that happens
>> sometimes).  Do you know more about this one?
> I was looking in Debian's cairo package for fixes for other CVEs (namely
> the ones that "guix lint -c cve cairo" *did* report), and noticed that
> they included a fix for CVE-2020-35492.  I didn't investigate further.

OK.  It could be that it hasn’t reached the NIST database yet, as Leo

> While we're on the subject on issues with the CVE database, or possibly
> with our linter, "guix lint -c cve" now erroneously reports:
> gnu/packages/gnome.scm:8434:2: gnome-shell@3.34.5: probably vulnerable to 
> CVE-2019-3820
> gnu/packages/gnome.scm:6452:2: gvfs@1.40.2: probably vulnerable to 
> CVE-2019-12447, CVE-2019-12448, CVE-2019-12449
> All of these are incorrect.
> * CVE-2019-3820 was fixed long before GNOME 3.34 came out, and I've
>   verified that the commit that fixes it is included in
>   gnome-shell-3.34.5:
>     commit f0a7395b3006360905ccdc642982f9fc67378927
>     Author: Ray Strode <>
>     Date:   Wed Jan 23 15:59:15 2019 -0500
>     shellActionModes: disable POPUP keybindings in unlock screen
> * CVE-2019-12447, CVE-2019-12448, and CVE-2019-12449 are fixed in
>   gvfs-1.40.2, according to its NEWS file:

Yes, that can happen when the CVE doesn’t list affected versions:

The solution here is to add a ‘lint-hidden-cve’ property to the package
with a comment explaining why we think these CVEs can be ignored (info
"(guix) Invoking guix lint").


reply via email to

[Prev in Thread] Current Thread [Next in Thread]