gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh
justanotheruser has quit [Ping timeout: 240 seconds]
justanotheruser has joined #nixos-security
justanotheruser has quit [Ping timeout: 268 seconds]
justanotheruser has joined #nixos-security
ckauhaus has joined #nixos-security
marek has joined #nixos-security
MichaelRaskin has quit [Quit: MichaelRaskin]
<ckauhaus> anyone an idea how the repology stats for nixos are updated?
<ckauhaus> is there some automated mechanism?
<ckauhaus> if yes, where can I find it?
pie_ has joined #nixos-security
JohnAZoidberg has joined #nixos-security
<ckauhaus> JohnAZoidberg: #42882
<{^_^}> https://github.com/NixOS/nixpkgs/issues/42882 (by ckauhaus, 1 year ago, closed): Vulnerability roundup 44 (master)
<JohnAZoidberg> Remove tomahawk and taglib_1_9: #72082
<{^_^}> https://github.com/NixOS/nixpkgs/pull/72082 (by JohnAZoidberg, 44 seconds ago, open): taglib_1_9, tomahawk:Remove unmaintained packages
<globin> ckauhaus: they fetch our packages-*.json from the website
<globin> ckauhaus: why?
<globin> ckauhaus: so gets updated on channel release
<ckauhaus> thanks
<ckauhaus> we've found how it gets imported into repology
<ris> i have nine (9) open CVE-fixing PRs
<ris> the oldest is 29 days old
<marek> oh nice, that pango one is done
<ris> head -> desk
<ckauhaus> how to get someone(TM) merge them?
<ckauhaus> ris: I can at least help revieving them (no push access yet)
<ckauhaus> would you tell the PR numbers?
<ris> from oldest: #69925
<{^_^}> https://github.com/NixOS/nixpkgs/pull/69925 (by risicle, 4 weeks ago, open): [r19.09] qemu: add patches for CVE-2019-13164 & CVE-2019-14378
<ris> #70479
<{^_^}> https://github.com/NixOS/nixpkgs/pull/70479 (by risicle, 3 weeks ago, open): perlPackages.libapreq2: add patch for CVE-2019-12412
<ris> #71003
<{^_^}> https://github.com/NixOS/nixpkgs/pull/71003 (by risicle, 2 weeks ago, open): pythonPackages.rpyc: 4.1.1 -> 4.1.2, fixing CVE-2019-16328
<ris> #71080
<{^_^}> https://github.com/NixOS/nixpkgs/pull/71080 (by risicle, 2 weeks ago, open): openmpt123: 0.4.1 -> 0.4.9, fixing CVE-2019-17113
<qyliss> There's a security cleanup sprint happening at NixCon right now
<qyliss> Not sure who's participating
<ris> #71872
<{^_^}> https://github.com/NixOS/nixpkgs/pull/71872 (by risicle, 3 days ago, open): [r19.09] ghostscript: add patches for CVE-2019-10216, CVE-2019-14811, CVE-2019-14812, CVE-2019-14813 and some of CVE-2019-14817
<ris> ah interesting
<ris> mmahut just merged one of mine
<ris> #72025
<{^_^}> https://github.com/NixOS/nixpkgs/pull/72025 (by risicle, 1 day ago, open): file: add patch for CVE-2019-18218
<ris> #72028
<{^_^}> https://github.com/NixOS/nixpkgs/pull/72028 (by risicle, 1 day ago, open): [r19.09] libpcap, tcpdump: 1.9.1 and 4.9.3 for many security fixes
<ris> #72054
<{^_^}> https://github.com/NixOS/nixpkgs/pull/72054 (by risicle, 17 hours ago, open): gdal: add patch for CVE-2019-17545
<ckauhaus> basically just JohnAZoidberg and me
<ckauhaus> ris: looks like you have permission to trigger ofBorg builds
<ckauhaus> (looking at the qemu PR)
<ris> yeah seems so
<ris> forgot about that
<ris> and the rpyc one has been superseded by a mass bump it seems
<ckauhaus> ris: I've acquired merge rights a moment ago and will take care of it
<marek> ris: mmahut is me actually
ivan has quit [Ping timeout: 268 seconds]
ivan has joined #nixos-security
pie_ has quit [Ping timeout: 240 seconds]
<ris> ahhhhhhhh
tilpner has quit [Quit: tilpner]
tilpner has joined #nixos-security
tilpner has quit [Quit: tilpner]
tilpner has joined #nixos-security
justanotheruser has quit [Ping timeout: 240 seconds]
<ckauhaus> ris: just trying to build qemu with all recent patches
<ckauhaus> takes aaaaages
<ris> yeah it's all the architectures i think
<ris> i'm building... an interrupt controller emulator... for a powermac..
ryantm has joined #nixos-security
<ryantm> ckauhaus: I was thinking for now, what I'd do to handle the vendor ambiguity in CPE matching is to make a mapping of attrpath to vendor, but maybe a better solution would be to include the vendor in the meta information. With the Apache Thrift example maybe `pkgs.thrift.meta.cpe.vendor = "apache"`
<ckauhaus> perhaps
<ckauhaus> the problem is the NVD data is such a mess
<ckauhaus> for example, git's vendor is sometimes listed as "git", sometimes as "git project", sometimes as "git-scm"
<ryantm> and it isn't clear which one is the canonical vendor name either, I guess.
<ckauhaus> the data model itself is unsuitable
<ckauhaus> for many open source projects, there is no such concept as a 'vendor'
<ckauhaus> even worse: on the other hand we have large languague specific ecosystems like pypi, cpan, rubygems, ... and these don't fit into the vendor/product scheme at all
<ryantm> ckauhaus: I guess the goal should be to try to cast a wide net of possible CVEs then use some approach to mark ones as invalid. Like it would be okay to say Apache Thrift should NOT report CVEs that have vendor "Facebook", but saying the vendor will definitely be "apache" might exclude something legitimate.
<ckauhaus> yeah
<ryantm> So probably I need a curated mapping from attrpath -> to list of matchers and a curated mapping from attrpath to blacklisted CVE matchers
<ckauhaus> in practice, this is often catched by version mismatches
<ckauhaus> but that at all times :)
<ryantm> Here's another interesting case I stumbled on https://github.com/ryantm/nixpkgs-update/blob/master/CVENOTES.org
<ryantm> uzbl used to be versioned with dates like year.month.day and now uses normal versions, which happen to be lower numerically than the dates.
<ryantm> Probably it can just be handled by blacklisting those CVEs.
<ckauhaus> it's a can of worms
<ckauhaus> unfortunately, I have to go to bed really soon
<ckauhaus> would like to continue the discussion during the next days
ckauhaus has quit [Quit: WeeChat 2.4]
<ryantm> night
tokudan has quit [Quit: Dunno.]
tokudan has joined #nixos-security