On Fri, Dec 22, 2023 at 10:28:42AM +0100, Samuel Thibault wrote: > Control: severity -1 wishlist > > Hello, > > Moritz Mühlenhoff, le ven. 22 déc. 2023 10:03:28 +0100, a ecrit: > > CVE-2023-49287[0]: > > | TinyDir is a lightweight C directory and file reader. Buffer > > | overflows in the `tinydir_file_open()` function. This vulnerability > > | has been patched in version 1.2.6. > > > > https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf > > https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d > > https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt > > > > falcosecurity-libs embeds a copy of tinydir, if it's not used to > > open files from potentially untrusted paths, feel free to downgrade. > > The tinydir_file_open function is not used at all indeed. > (and we don't ship the only lwip app that includes tinydir.h anyway)
Thanks, I'll make a note in the Debian security, let's just close the bug, then I'd say, no need to keep it open for a random change not affecting the Debian build. Cheers, Moritz