Re: [Buildroot] [PATCH] package/libssh: ignore CVE-2023-3603

[Thomas Petazzoni via buildroot <buildroot@buildroot.org>]

Hello Daniel,

On Wed,  6 Sep 2023 22:09:27 +0200
Daniel Lang <dalang@gmx.at> wrote:

> The affected code isn't present in any release, see [0].
> 
> [0]: https://www.libssh.org/2023/07/14/cve-2023-3603-potential-null-dereference-in-libsshs-sftp-server/
> 
> Signed-off-by: Daniel Lang <dalang@gmx.at>

Here the NVD database tells us that the following CPE identifier is
affected:

  cpe:2.3:a:libssh:libssh:-:*:*:*:*:*:*:*

So the version field is not '*', but '-', and I think our pkg-stats
script doesn't do the right thing when handling '-'. I remember asking
the NVD maintainers about this, and they replied:

    The '-' in the URI 'cpe:2.3:a:ntp:ntp:-:*:*:*:*:*:*:*' is used
    because the affected version was not specified. We need to use the
    '-' when the affected version is not specified otherwise, using the
    '*' will incorrectly call all versions of NTP as vulnerable.


    The '*' is the wildcard, while the '-' is used to represent
    unspecified versions, a placeholder to an update, as explained
    earlier.

I believe right now pkg-stats handles '-' like '*', but I'm not sure
it's the right thing to do. But the answer from NVD didn't really help
because "unspecified versions" doesn't mean much.

Another thing that would be good to do in pkg-stats is warn if there is
a CVE listed in <pkg>_IGNORE_CVES, but this CVE in fact does not
affects the package. This would allow us to catch mistakes, but also
cases where a CVE was added to the ignore list, but no longer needs to
be in that list because the NVD data has been updated/improved.

Best regards,

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot