Hi Guilhem, hi Moritz, On Sat, Dec 30, 2023 at 11:26:02PM +0100, Guilhem Moulin wrote: > On Sat, 30 Dec 2023 at 21:02:16 +0100, Felix Geyer wrote: > > There are some minor changes staged in the salsa git repo. It would be good > > to include them as well. Feel free to push the patch to git and upload. > > Alternatively a merge request works as well of course. > > Thanks for the fast response! Tagged and uploaded. > > Security team, if you agree with my assessment that CVE-2023-40462 is a > duplicate of CVE-2023-34194 (but for a separate project that embeds > libxml) and that CVE-2023-40458 is a duplicate of CVE-2021-42260 (but > for a separate project that embeds libxml), I can propose debdiffs for > bullseye and bookworm.
I think the former is correct but still bit biased. We initially had exactly CVE-2023-40462 as NFU and CVE-2023-34194 for tinyxml. I have now commmited https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e507c932b999df48f808969c00f07a638e3357b hich does match my understanding for this doubled CVE assignment. The document is actually not very very clear. It still metnions CVE-2023-40462 but does not consistently say "TinyXML as used in". Still hope we can agree the above matches our all udnerstanding. Moritz given you updated back then the entry from NFU and tinyxml, if you still strongly disagree I will revert the above, but I tried to explain my reasoning in the commit message. Now for CVE-2023-40458 I'm not sure. Looking back at the references for CVE-2021-42260 and the issue report at https://sourceforge.net/p/tinyxml/bugs/141/ this sensibly match the description for CVE-2023-40458, but will want to see if Moritz has an additional input here. If this is the case we either have the otpion to mark it really as duplicate (and request a reject from MITRE) or it is again just a ALEOS issue "... tinyxml as used in". Again the table here is not very clear in the report, for the CVE-2023-34194 and CVE-2023-40462 there were explicitly listed the two CVEs with brackeds including the product in the the table, but this is not the case for CVE-2023-40458. Moritz? Regards, Salvatore