On Thu, Nov 10, 2022 at 10:43:55AM +0200, Jaco Kroon wrote: > Hi, > > On 2022/11/10 06:13, John Helmert III wrote: > >>> - Drop synopsis and description fields. These fields contain the same > >>> information and will be superceded by the existing impact field. > >> Well, I'm not saying "no" but it feels a bit weird reading a GLSA that > >> doesn't say a word what the problem is but specifies impact. > > You're right, but with 19 CVEs (for example), is anyone really > > interested in hearing about the problem that caused each of the 19 > > issues? In the current format we've resorted to writing descriptions > > like... > Actually yes! Also a way to check whether my specific configuration is > vulnerable for this specific CVE, something like "If you're setting > foo=bar in /etc/pkg.conf your system is vulnerable, if you've got > foo=phew you're most likely fine". Obviously we could rely a bit more > on package maintainers (myself included) to provide these.
That would greatly increase the care necessary for us to release a GLSA. It's already a big pain (even with the new GLSAMaker being a huge improvement over the old one), and I'd like to make it less of a pain. Maybe a proxy for this information for you would be the "type" field of the impact? > I don't think I've seen a single "workaround" and usually the text here > just says "No known workaround", where the reality is that for something > like asterisk just not using the affected module is good enough. So > workaround: "Don't use chan_sip, use chan_pjsip instead" would be > perfectly fine here. > > One could thus also link GLSA issues to specific USE flags, taking > asterisk again, let's say the problem is with the http web server having > a buffer overflow in the http basic authenticator, then if that embedded > server isn't even compiled in, how can the package be vulnerable? So > here vulnerable would be something like > <net-misc/asterisk-16.X.Y:16[http], <net-misc/asterisk-18.A.B[http], > which then also indicates the "fixed" versions, as has been pointed out > "affected" and "not affected" are inverses. The "atom" attribute of each constraint is using atom syntax, so along with that we get the ability to specify USE exactly like "asterisk-16.X.Y:16[http]". > A mechanism to QUERY which installed packages are affected by known > GLSA's would also be tremendously helpful. Like glsa-check? > > > > Multiple vulnerabilities have been discovered in $PACKAGE. Please > > review the CVE identifiers referenced below for details. > > > > ... simply because it's infeasible (and in my opinion, not really > > necessary) for us to enumerate the issues in this way. Also, I note > > that the section being called "impact" doesn't preclude us from > > incorporating text that we would currently put in the "description" or > > "synopsis" fields. > > Of course giving the full details in the GLSA is a pain in the backside, > is there a way to retrieve this information automatically from the CVE > database? In other words, just get the blurp from there and include it > here. It won't give full details, but at least it will give some extra > details not currently available. Effectively we choose to ignore > certain GLSAs if we consider their impact to be low. We could import CVE descriptions, but then we'd end up with a huge wall of mostly useless text, such as CVE-2021-35648's: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). MySQL bugs usually have dozens of CVEs associated with them. Would it really be useful to have dozens of those paragraphs in GLSAs? Would it be useful to have that text included in a GLSA for MariaDB or PostgreSQL if they're affected by the same issue? On the other end of the spectrum (CVE-2022-41035): Microsoft Edge (Chromium-based) Spoofing Vulnerability. Does that tell anyone anything about the vulnerability? Not really, I think. It'd just be added noise in a GLSA. > It would also help a great deal to automate that if the CVE scores and > the "inputs" into that could be made available, eg, CVE score 7.0, > remote=yes/no, .... (And I'm fairly certain importing this from the CVE > database should be possible). It is possible, but is it really useful? CVSS scores are really just arbitrary numbers produced by CNAs (just like descriptions are arbitrary text). Even worse, sometimes the CNA changes the CVSS score, so if we reproduce it into GLSAs, would we have to keep track of any changes and update the GLSA accordingly? The CVE IDs are already exposed by the GLSA as references.uri fields. From those, it'd be trivial to automate the retrieval of the CVE data from their authoritative sources (e.g. NIST's NVD API [1] or cvelist.git itself [2]). But, maybe it would be useful to have a "type" attribute in the uri field indicating what kind of identifier it is (whether CVE, WSA, XSA, etc), and then other tools could more easily grok each kind of reference. [1] https://nvd.nist.gov/developers/vulnerabilities [2] https://github.com/CVEProject/cvelist > Of course, someone has to do the work, and the current status quo > doesn't irritate me enough to free up cycles to fix it, but if the above > could be (partially) accommodated that would be really, really great, if > not, no harm done. > > Much appreciate that there is work being done in this area. > > Kind Regards, > Jaco > >
signature.asc
Description: PGP signature
