| *** tobias-urdin-pto is now known as tobias-urdin | 07:34 | |
| tobias-urdin | fungi: just out of curiosity, i assume this was a redhat only initiative https://www.cvedetails.com/cve/CVE-2023-3637 so there is no OSSA for the same thing even though the patches seems to be in the open already | 07:35 |
|---|---|---|
| fungi | tobias-urdin: looks like maybe it only affected train? or at least that's all they mention patching | 11:34 |
| fungi | at first i thought it might be https://launchpad.net/bugs/1988026 which we never came to a decision on issuing an advisory for. it allowed authenticated users to create an unlimited number of security groups that aren't applicable to any project, so could (very slowly) fill the db. rh reserved a different cve for that though, CVE-2022-3277 | 11:38 |
| fungi | since rh's srpms aren't publicly available, it's hard to pull the patch they're using and find out, but maybe one of our colleagues there can dig up some details... d34dh0r53? dmendiza[m]? tonyb? | 11:40 |
| fungi | the lack of any reference to an upstream bug report either in the cve details or rh's advisory makes me think it was something that was never reported upstream, and usually the only legitimate reason for that is the vulnerability wasn't in any upstream maintained branches of the software | 11:41 |
| tonyb | I can for sure research tomorrow. to see what patches there are and contact the authors for why it wasn't public, if that is the case | 11:43 |
| fungi | thanks tonyb! i think i've exhausted the research options available to me as a general member of the public | 11:45 |
| tonyb | yeah. I don't know if the code on git.centos.org has been pulled yet. that'd be the only public place to see the srpms. | 11:48 |
| tobias-urdin | fungi: tonyb ack ty, i was just curious since there was no mention of any patches or versions if it was handled completely in the "dark" | 12:10 |
| tonyb | yeah. it's a good find. more than a little distributing on the face of it | 12:12 |
| fungi | yes, hopefully it's as i described, the bug doesn't exist upstream in any still maintained version and the advisory simply omitted that detail | 12:12 |
| fungi | but it also wouldn't be the first time red hat patched bugs downstream and forgot to even forward the bug report upstream to the project (though it would be the first case i'm aware of which was treated as a security issue, if so) | 12:13 |
| tonyb | I'll look properly tomorrow, but it looks like the fixes for 2023-3637 are those for CVE-2022-3277. https://review.opendev.org/q/Ieef7011f48cd2188d4254ff16d90a6465bbabfe3 | 12:44 |
| tonyb | https://access.redhat.com/security/cve/CVE-2023-3637 points at https://access.redhat.com/security/cve/CVE-2022-3277 | 12:45 |
| fungi | thanks, so cve-2023-3637 was created as a duplicate | 12:45 |
| tonyb | I need to double check but at the moment it looks that way | 12:45 |
| fungi | i guess someone got wires crossed somewhere | 12:45 |
| fungi | amusing since both were assigned by the same cna | 12:46 |
| fungi | thanks for looking! | 12:46 |
| tonyb | Yeah. We could reach out to rodolfo as he's visible in both | 12:46 |
| fungi | tobias-urdin: ^ semi-update | 12:46 |
| tonyb | I'll do that tomorrow | 12:47 |
| fungi | thanks. might have helped if the rh bug report and/or cve linked to the upstream bug report | 12:48 |
| fungi | maybe someone in rh security can get those added | 12:50 |
| tonyb | The view I have does cross-link but it isn't super obvious and I may see thinsg that aren't generally visible | 12:50 |
| tonyb | I'll see what I can do, assuming that they are indeed duplicates | 12:51 |
| fungi | thanks again! it's not urgent | 12:51 |
| tonyb | All good | 12:52 |
| tobias-urdin | cool, thanks for checking! I knew I had seen it somewhere, after checking internally we had already handled CVE-2022-3277 | 14:24 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!