Re: Please correct or address CVE-2023-45853 for minizip / zlib

To: Bastian Blank <waldi@debian.org>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: Please correct or address CVE-2023-45853 for minizip / zlib
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 29 Oct 2024 22:11:40 +0100
Message-id: <[🔎] ZyFPjCvL-gipL-jj@eldamar.lan>
Mail-followup-to: Bastian Blank <waldi@debian.org>, debian-security-tracker@lists.debian.org
In-reply-to: <[🔎] 20241027083256.bbamtxgpryocv4gi@shell.thinkmo.de>
References: <[🔎] 052FAE92-5901-4BF7-8B48-C49BB7F29DB5@appomni.com> <[🔎] Zx3Z7CnPibWRh5Nq@eldamar.lan> <[🔎] 20241027083256.bbamtxgpryocv4gi@shell.thinkmo.de>

Hi Bastian,

On Sun, Oct 27, 2024 at 09:32:56AM +0100, Bastian Blank wrote:
> Hi
> 
> On Sun, Oct 27, 2024 at 07:13:00AM +0100, Salvatore Bonaccorso wrote:
> > The tracking here is already correct. The shipped source is affected
> > but the security impact is not present, as binaries are not built.
> > this is already sufficiently reflected with the ignored note. 
> 
> It is correct, as in technically correct, the best kind of correct.
> This is an mostly useless category, as it ignores everything around it.
> 
> The tracker data clearly states that the package as provided by Debian
> is vulnerable.  And also the security tracker page clearly lists it as
> vulnerable in red.  If I need to understand free text to even be
> remotely able to identify if I might be affected, then the data is
> useless.
> 
> Debian is a binary, not a source distribution.  So in all other places
> we care about what we build, not what could be build from a given source
> package.  But here, we now care about the source package and give free
> text explanations why we are both affected and not, free text that a
> non-developer might not even understand.
> 
> > Security-scanner often ignore this assessment, this might be why you
> > are asking? In such case ask your vendor of your security scanner to
> > include assessment of the <ignored> (explanation) tag.
> 
> Security scanners are often not even able to properly differenciate
> between low priority stuff.
> 
> I even had people gloating about the number of fewer vulnerabilities in
> Red Hat vs Debian.  Turns out, Red Hat simply closes those low priority
> vulnerabilties, so it will not show up again, while Debian marks it and
> keeps it open.  And this was about interpreting a tag without needing to
> interpret a free text explanation.
> 
> But now you want to tell people, that not only they have to interpret
> our own priority tags, they also have to interpret free text.  I really
> fail to see what service this is to our users?

Well, yes your critique has defintively valid and fair assessment
points. I'm not saying the tracker is perfect, and you know the whole
very well, having done work yourself on it. And yes these class of
problems is not sufficiently covered both technically and to make it
unabigious for the users fetching the information in a programatic
way. What I was thinking fo a while was to have a further substate
(think as we have now for no-dsa, with ignored and postponed) to cover
this class of issues. It went not to a concrete defined proposal
though.

Regards,
Salvatore

Reply to:

References:
- Please correct or address CVE-2023-45853 for minizip / zlib
  - From: Mike Brancato <mbrancato@appomni.com>
- Re: Please correct or address CVE-2023-45853 for minizip / zlib
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: Please correct or address CVE-2023-45853 for minizip / zlib
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: External check
Next by Date: External check
Previous by thread: Re: Please correct or address CVE-2023-45853 for minizip / zlib
Next by thread: Re: Please correct or address CVE-2023-45853 for minizip / zlib
Index(es):
- Date
- Thread