Hi Mark, Mark H Weaver <[email protected]> skribis:
> Ludovic Courtès <[email protected]> writes: > >> In this case, I noticed that ‘guix lint -c cve cairo’ wouldn’t report >> CVE-2020-35492 and found that >> <https://nvd.nist.gov/vuln/detail/CVE-2020-35492> is 404. >> >> Likewise, this command: >> >> wget -qO - >> "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz"; | \ >> gunzip | grep CVE-202-35492 >> >> turns up nothing. >> >> It could be that this CVE is still “pending” (I think that happens >> sometimes). Do you know more about this one? > > I was looking in Debian's cairo package for fixes for other CVEs (namely > the ones that "guix lint -c cve cairo" *did* report), and noticed that > they included a fix for CVE-2020-35492. I didn't investigate further. OK. It could be that it hasn’t reached the NIST database yet, as Leo wrote. > While we're on the subject on issues with the CVE database, or possibly > with our linter, "guix lint -c cve" now erroneously reports: > > gnu/packages/gnome.scm:8434:2: [email protected]: probably vulnerable to > CVE-2019-3820 > gnu/packages/gnome.scm:6452:2: [email protected]: probably vulnerable to > CVE-2019-12447, CVE-2019-12448, CVE-2019-12449 > > > All of these are incorrect. > > * CVE-2019-3820 was fixed long before GNOME 3.34 came out, and I've > verified that the commit that fixes it is included in > gnome-shell-3.34.5: > > commit f0a7395b3006360905ccdc642982f9fc67378927 > Author: Ray Strode <[email protected]> > Date: Wed Jan 23 15:59:15 2019 -0500 > > shellActionModes: disable POPUP keybindings in unlock screen > > * CVE-2019-12447, CVE-2019-12448, and CVE-2019-12449 are fixed in > gvfs-1.40.2, according to its NEWS file: Yes, that can happen when the CVE doesn’t list affected versions: https://www.openwall.com/lists/oss-security/2017/03/15/3 The solution here is to add a ‘lint-hidden-cve’ property to the package with a comment explaining why we think these CVEs can be ignored (info "(guix) Invoking guix lint"). Thanks, Ludo’.
