#nixos-security on 2018-11-07

08:12 {^_^} has quit [Remote host closed the connection]

08:12 {^_^} has joined #nixos-security

08:18 mmercier has joined #nixos-security

09:42 __Sander__ has joined #nixos-security

09:45 ckauhaus has joined #nixos-security

12:19 r5d has joined #nixos-security

12:40 erictapen has joined #nixos-security

12:46 erictapen has quit [Ping timeout: 252 seconds]

12:52 erictapen has joined #nixos-security

14:47 erictapen has quit [Quit: leaving]

14:47 erictapen has joined #nixos-security

15:10 <flokli> https://github.com/MorteNoir1/virtualbox_e1000_0day

16:30 __Sander__ has quit [Quit: Konversation terminated!]

16:37 erictapen has quit [Quit: leaving]

17:00 pie_ has joined #nixos-security

17:03 mmercier has quit [Quit: mmercier]

17:08 pie_ has quit [Remote host closed the connection]

17:09 pie_ has joined #nixos-security

17:11 c0bw3b_ has joined #nixos-security

18:41 MichaelRaskin has joined #nixos-security

20:20 <ckauhaus> uh-oh

20:21 <ckauhaus> It'll probably take a while until a patch for VirtualBox will be available

20:21 <pie_> i havent been on irc in a week...do i want to know what i missed

20:22 <ckauhaus> heh

20:22 <ckauhaus> short version: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%221.severity%3A+security%22

20:26 <pie_> i...what? binutils rce? how does that even work?

20:26 <pie_> i mean why is it "network" category

20:29 <ckauhaus> hm

20:29 <ckauhaus> it's not clear to me what you're talking about

20:32 <pie_> yeah that was very not specific, sorry; see for example https://nvd.nist.gov/vuln/detail/CVE-2018-7568 "Access Vector (AV): Network "

20:32 <pie_> huh looks like thats some cvss 2.0 thing, the 3.0 column next to it says local

20:33 <pie_> i guess weird interactions between however those things are defined and the bugs?

20:33 <pie_> s/things/categories/

20:33 <ckauhaus> don't trust the information in the NVD to be accurate

20:34 <ckauhaus> I've found lots of errors in it over time

20:35 <pie_> i think it was like this for all th ebfd cves listed

20:37 <ckauhaus> w.r.t. binutils... someone tried to patch 2.30 which is included in 18.09

20:37 <ckauhaus> I don't know the exact state of affairs, but IIRC the whole things needs a bit of review and input

20:38 <ckauhaus> see #47128 and specifically #41042

20:38 <{^_^}> https://github.com/NixOS/nixpkgs/issues/47128 (by ckauhaus, 6 weeks ago, open): binutils: upgrade to 2.31.x

20:38 <{^_^}> https://github.com/NixOS/nixpkgs/pull/41042 (by ThomasMader, 23 weeks ago, open): binutils: Apply patches from 2.30 branch

20:39 <pie_> inb4 binutils is a catastrophe :P

20:41 <pie_> i remember a couple years ago someone was like "wow you know strings uses libbfd so you actually have a big library that can be exploited right?"

20:41 <ckauhaus> heh

21:07 {^_^} has quit [Read error: Connection reset by peer]

21:07 {^_^} has joined #nixos-security

22:28 c0bw3b_ has left #nixos-security [#nixos-security]

23:29 erictapen has joined #nixos-security