Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > linux.debian.security > #6413

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

From Samuel Henrique <samueloph@debian.org>
Newsgroups linux.debian.security
Subject Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)
Date 2025-05-10 21:40 +0200
Message-ID <KKYdb-29FY-17@gated-at.bofh.it> (permalink)
References <KHyoV-hxNz-1@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

Hello Salvatore, sorry about the late reply, I was in MiniDebConf Maceió.

On Thu, 1 May 2025 at 06:24, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Yes the A2 would go in the direction we are thingking, internally we
> have said to it a new "nonissue" state, which can apply as well at
> suite entry levels (this was not possible with the unimportant severiy
> as major drawback). The nonissue (or not-affected-build-artifacts as
> you call it, but we can decide on a name once developing) state would
> be a new state so we can cover exactly for instance the zlib case,
> several curl cases were a feature is not enabled in a given suite, say
> bookworm not, but above are. So as a purely example:
>
> CVE-2024-9681 (When curl is asked to use HSTS, the expiry time for a subdomain might  ...)
>         - curl 8.11.0-1 (bug #1086804)
>         [bookworm] - curl 7.88.1-10+deb12u9
>         [bullseye] - curl <ignored> (curl is not built with HSTS support)
>
> Would become
>
> CVE-2024-9681 (When curl is asked to use HSTS, the expiry time for a subdomain might  ...)
>         - curl 8.11.0-1 (bug #1086804)
>         [bookworm] - curl 7.88.1-10+deb12u9
>         [bullseye] - curl <nonissue> (curl is not built with HSTS support)
>
> Or
>
> CVE-2023-28339 (OpenDoas through 6.8.2, when TIOCSTI is available, allows privilege es ...)
>         - doas <removed>
>         [bullseye] - doas <no-dsa> (Minor issue)
>         - opendoas <unfixed> (bug #1034185)
>         [trixie] - opendoas <not-affected> (Addressed via Linux kernel change)
>         [bookworm] - opendoas <ignored> (Minor issue, will be addressed via kernel change which isn't in 6.1 yet)
>
> would become
>
> CVE-2023-28339 (OpenDoas through 6.8.2, when TIOCSTI is available, allows privilege es ...)
>         - doas <removed>
>         [bullseye] - doas <no-dsa> (Minor issue)
>         - opendoas <unfixed> (bug #1034185)
>         [trixie] - opendoas <nonissue> (Addressed via Linux kernel change)
>         [bookworm] - opendoas <ignored> (Minor issue, will be addressed via kernel change which isn't in 6.1 yet)
>
> Similarly we could handle CVE-2016-2568, CVE-2016-2781, CVE-2023-28339
> in better ways than workaround.
>
> Thos are just examples, and I think you have a more complete list (can
> you share the CVEs so we can see how that would map into such a
> state?)

I'm currently traveling and don't have access to the list I previously checked
(will only reach that PC close to June).

But I think "nonissue" will work perfectly, at least as long as we also define
that <nonissue> will always result in the security-tracker (web UI, json) and
OVAL file (or alternatives we might generate in the future) showing the
package's binaries as "not-affected". Is this in line with what you discussed?

I'm asking because "nonissue" has a broader definition compared to
"not-affected-build-artifacts", and if "nonissue" is used for questionable CVEs
(e.g.: CVEs for elfutils or without security impact), then we can't end up in a
situation where "nonissue" is not evaluated as "not-affected", as this defeats
the whole purpose of the solution.


Thank you,


-- 
Samuel Henrique <samueloph>

Back to linux.debian.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Samuel Henrique <samueloph@debian.org> - 2024-11-28 00:50 +0100
  Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Salvatore Bonaccorso <carnil@debian.org> - 2024-12-01 15:10 +0100
    Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Samuel Henrique <samueloph@debian.org> - 2025-03-02 21:50 +0100
      Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Samuel Henrique <samueloph@debian.org> - 2025-04-13 17:30 +0200
        Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Salvatore Bonaccorso <carnil@debian.org> - 2025-04-13 17:40 +0200
      Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Samuel Henrique <samueloph@debian.org> - 2025-04-13 18:10 +0200
        Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Salvatore Bonaccorso <carnil@debian.org> - 2025-05-01 11:30 +0200
          Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Samuel Henrique <samueloph@debian.org> - 2025-05-10 21:40 +0200
            Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Santiago Ruano Rincón <santiagorr@riseup.net> - 2025-05-16 20:30 +0200
              Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Salvatore Bonaccorso <carnil@debian.org> - 2025-05-18 18:50 +0200
                Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Roberto C. Sánchez <roberto@debian.org> - 2025-06-03 23:30 +0200

csiph-web