guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVEs missing from the NIST database

From: Mark H Weaver
Subject: Re: CVEs missing from the NIST database
Date: Fri, 12 Mar 2021 15:27:08 -0500 
Hi Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

> In this case, I noticed that ‘guix lint -c cve cairo’ wouldn’t report
> CVE-2020-35492 and found that
> <https://nvd.nist.gov/vuln/detail/CVE-2020-35492> is 404.
>
> Likewise, this command:
>
>    wget -qO - 
> "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz"; | \
>      gunzip | grep CVE-202-35492
>
> turns up nothing.
>
> It could be that this CVE is still “pending” (I think that happens
> sometimes).  Do you know more about this one?

I was looking in Debian's cairo package for fixes for other CVEs (namely
the ones that "guix lint -c cve cairo" *did* report), and noticed that
they included a fix for CVE-2020-35492.  I didn't investigate further.

While we're on the subject on issues with the CVE database, or possibly
with our linter, "guix lint -c cve" now erroneously reports:

--8<---------------cut here---------------start------------->8---
gnu/packages/gnome.scm:8434:2: gnome-shell@3.34.5: probably vulnerable to 
CVE-2019-3820
gnu/packages/gnome.scm:6452:2: gvfs@1.40.2: probably vulnerable to 
CVE-2019-12447, CVE-2019-12448, CVE-2019-12449
--8<---------------cut here---------------end--------------->8---

All of these are incorrect.

* CVE-2019-3820 was fixed long before GNOME 3.34 came out, and I've
  verified that the commit that fixes it is included in
  gnome-shell-3.34.5:

    commit f0a7395b3006360905ccdc642982f9fc67378927
    Author: Ray Strode <rstrode@redhat.com>
    Date:   Wed Jan 23 15:59:15 2019 -0500

    shellActionModes: disable POPUP keybindings in unlock screen

* CVE-2019-12447, CVE-2019-12448, and CVE-2019-12449 are fixed in
  gvfs-1.40.2, according to its NEWS file:

--8<---------------cut here---------------start------------->8---
Major changes in 1.40.2
=======================
* daemon: Only accept EXTERNAL authentication (CVE-2019-12795)
* daemon: Check that the connecting client is the same user (CVE-2019-12795)
* admin: Ensure correct ownership when moving to file:// uri (CVE-2019-12449)
* admin: Use fsuid to ensure correct file ownership (CVE-2019-12447)
* admin: Allow changing file owner (CVE-2019-12447)
* admin: Add query_info_on_read/write functionality (CVE-2019-12448)
* afc: Remove assumptions about length of device UUID to support new devices
* gmountsource: Fix deadlocks in synchronous API
* afp: Fix afp backend crash when no username supplied
* Translation updates
--8<---------------cut here---------------end--------------->8---

      Mark
reply via email to
[Prev in Thread] Current Thread [Next in Thread]