gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh
KeiraT has quit [Ping timeout: 240 seconds]
ajs124 has quit [Quit: killed]
ajs124 has joined #nixos-security
KeiraT has joined #nixos-security
hmpffff_ has joined #nixos-security
hmpffff has quit [Ping timeout: 256 seconds]
anselmolsm has quit [Quit: Konversation terminated!]
kleisli has quit [Remote host closed the connection]
kleisli has joined #nixos-security
{`-`} has joined #nixos-security
tilpner has quit [Quit: tilpner]
hexa- has quit [Quit: WeeChat 2.7.1]
hexa- has joined #nixos-security
anselmolsm has joined #nixos-security
hmpffff_ has quit [Read error: Connection reset by peer]
<andi-> I would +1 on renamning them
hmpffff has joined #nixos-security
<andi-> keep the old name put add a suffix or prefix for the CVE number
justanotheruser has quit [Ping timeout: 272 seconds]
justanotheruser has joined #nixos-security
<hexa-> so 10_fix_buffer_overflow_wordole_c.patch => CVE-2014-8123_fix_buffer_overflow_wordole_c.patch
<hexa-> or just CVE-2014-8123.patch
<hexa-> debian has it like this ^
<andi-> I usually like to keep some reference to the original change that we are picking. If the .patch file doesn't contain commit messages etc.. we should at least keep the file name somewhat similar to what the original source did.
<andi-> It is no fun to figure out which of the 25 patches we apply overlaps with those 26 patches upstream uses for that one CVE if they are all named differently :)
<hexa-> renamed: 10_fix_buffer_overflow_wordole_c.patch -> CVE-2014-8123_add_check_for_buffer_overflow_with_malformed_input_files.patch
<hexa-> Description: Add check for buffer overflow with malformed input files
<hexa-> would that be too long?
<hexa-> renamed: 10_fix_buffer_overflow_wordole_c.patch -> CVE-2014-8123_fix_buffer_overflow_wordole_c.patch
<hexa-> probably better like this
<hexa-> andi-: https://broken.sh/issues/CVE-2011-3868 matches against the wrong package :/
<hexa-> our ams is an audio package … 2~642: ams = callPackage ../applications/audio/ams {};
<andi-> I could probably add a blacklist for vendors... does anyone actually care about vmware in our context?
<flokli> lol
<hexa-> https://broken.sh/issues/CVE-2019-18899 doesn't affect us … The apt-cacher-ng package of openSUSE Leap 15.1
<hexa-> how do we annotate that?
<andi-> we don't do that yet... I have ideas but haven't really finished that part yet
<andi-> Maybe I'll do that one of these days
<hexa-> :)
<hexa-> or … can I open bugs for you somewhere? :)
anselmolsm has quit [Remote host closed the connection]
anselmolsm has joined #nixos-security
<andi-> hexa-: yes, click on the github link on broken.sh
<hexa-> ok
<hexa-> #87139
<{^_^}> https://github.com/NixOS/nixpkgs/pull/87139 (by mweinelt, 20 seconds ago, open): treewide: add CVE identifiers to patches
<hexa-> ~12 CVEs annotated
<aanderse> hexa-: thanks for bump! some packages really need maintainers... :-S
justanotheruser has quit [Ping timeout: 256 seconds]
<hexa-> :)
justanotheruser has joined #nixos-security