Re: c-ares, CVE-2023-31147, CVE-2023-31124

To: Anton Gladky <gladk@debian.org>
Cc: debian-security@lists.debian.org, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: c-ares, CVE-2023-31147, CVE-2023-31124
From: Ola Lundqvist <ola@inguza.com>
Date: Fri, 23 Jun 2023 20:49:30 +0200
Message-id: <[🔎] CABY6=0miMN1ppRQ1DdaTEv8z58QBO5HmuirEsrQA7BwquuEUyg@mail.gmail.com>
In-reply-to: <[🔎] CALF6qJmVXsY_eKa-1UfxDP0-5CPcBqOguTD6O-_TTszgH2dOug@mail.gmail.com>
References: <[🔎] CALF6qJmVXsY_eKa-1UfxDP0-5CPcBqOguTD6O-_TTszgH2dOug@mail.gmail.com>

Hi Anton, all

Well even if there are some systems affected I must say that if
someone have removed urandom the behavior described is expected. I
mean /dev/urandom is there for a reason. And yes there are better
functions than rand() but I can hardly see this as a vulnerability. Or
well it is, but it is the kind of vulnerability when you remove the
device that provide randomness in the system.

I would have marked them as "minor issue".

Cheers

// Ola

On Fri, 23 Jun 2023 at 06:49, Anton Gladky <gladk@debian.org> wrote:
>
> Hi,
>
> two CVEs might be irrelevant for Debian systems. Can they be
> tagged as "unaffected"? Or we have some systems, where
> /dev/urandom is not existing?
>
> Thanks
>
> Anton
>

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: c-ares, CVE-2023-31147, CVE-2023-31124
  - From: Anton Gladky <gladk@debian.org>

References:
- c-ares, CVE-2023-31147, CVE-2023-31124
  - From: Anton Gladky <gladk@debian.org>

Prev by Date: Re: CVE-2023-2884[0-2]: impact for debian user
Next by Date: Re: c-ares, CVE-2023-31147, CVE-2023-31124
Previous by thread: Re: c-ares, CVE-2023-31147, CVE-2023-31124
Next by thread: Re: c-ares, CVE-2023-31147, CVE-2023-31124
Index(es):
- Date
- Thread