| mpiano | ebarretto: hello, we are again in the same boat as last week, the OVAL CVE data was last updated on 2024-11-02T00:37:02 | 10:11 |
|---|---|---|
| ebarretto | mpiano: yep, I triggered a manual build an hour ago and it is in the last steps | 10:16 |
| mpiano | thanks for the context, I'll keep monitoring the situation on our side then | 10:18 |
| === sespiros_ is now known as sespiros | ||
| popey | Good day. CVE-2023-40548 looks to have a version error in it. It mentions "Fixed 15.8-0ubuntu1" but the actual version is "1.58+15.8-0ubuntu1". Should the version in the CVE not match the deb package version, not the Microsoft upstream shim version? https://ubuntu.com/security/CVE-2023-40548 | 15:24 |
| -ubottu:#ubuntu-security- A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity ... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40548> | 15:24 | |
| popey | We have an issue for this (with discussion) on our vulnerability data. https://github.com/anchore/vulnerability-match-exclusion-database/issues/229 | 15:24 |
| mdeslaur | hi popey! | 15:25 |
| mdeslaur | one sec, let me check | 15:25 |
| mdeslaur | popey: the source package version seems to be 15.8-0ubuntu1 https://launchpad.net/ubuntu/+source/shim | 15:26 |
| mdeslaur | where are you seeing 1.58+15.8-0ubuntu1? | 15:26 |
| mdeslaur | I can't access that github link | 15:27 |
| popey | https://launchpad.net/ubuntu/+source/shim-signed | 15:27 |
| popey | oh, sorry. | 15:27 |
| mdeslaur | this is one of those idiotic debian packaging particularities...the source package doesn't have the same version as the binary packages | 15:28 |
| mdeslaur | the source package is in fact versioned as 1.58, while the binary packages do in fact seem to be versioned as 1.58+15.8-0ubuntu1 | 15:28 |
| popey | Oh dear. | 15:29 |
| popey | Ok, thanks for looking. | 15:29 |
| mdeslaur | we track source packages in our cve tracker | 15:29 |
| mdeslaur | so, your tooling may need to be modified to handle this type of weird case, unfortunately | 15:29 |
| popey | .oO( I wonder how many of these weird cases there are ) | 15:30 |
| mdeslaur | I've seen it perhaps 2-3 times that I can remember, definitely not common | 15:31 |
| popey | I think we do try to get the source version in Grype, but it depends on the available metadata in the analysis | 15:31 |
| popey | Ok. Thank you. | 15:31 |
| mdeslaur | np! | 15:32 |
| popey | mdeslaur sorry - if 1.58 (as you say) is the source version, why does the CVE tracker show 15.8 for both shim and shim-signed? https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-40548#n62 | 16:11 |
| -ubottu:#ubuntu-security- A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity ... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40548> | 16:11 | |
| mdeslaur | popey: those are two different source packages | 16:12 |
| mdeslaur | popey: and they are versioned like that | 16:12 |
| mdeslaur | https://launchpad.net/ubuntu/+source/shim | 16:12 |
| mdeslaur | https://launchpad.net/ubuntu/+source/shim-signed | 16:12 |
| mdeslaur | one sec, let me look again | 16:12 |
| mdeslaur | oh you are totally right | 16:13 |
| mdeslaur | my bad | 16:13 |
| popey | Que? One is 1.59 (1.58 in LTS) and the other is 15.8. The shim-signed is 1.58 but in the CVE it's 15.8 | 16:13 |
| mdeslaur | one sec, I'll fix | 16:13 |
| mdeslaur | popey: https://git.launchpad.net/ubuntu-cve-tracker/commit/?id=c758006a7f9b00d92ce91c1aa4c3e07e7a3fe2e7 | 16:15 |
| -ubottu:#ubuntu-security- Commit c758006 in ubuntu-cve-tracker "fix wrong versioning in shim-signed CVE HEAD master" | 16:15 | |
| mdeslaur | sorry for the confusion | 16:15 |
| popey | Nice one. There may be more... :) | 16:16 |
| mdeslaur | also, where are my glasses? | 16:16 |
| mdeslaur | yeah, there are more, let me search for the others | 16:16 |
| popey | I would post an 'old age' skull emoji, but we're on irc. So y'know. | 16:16 |
| popey | CVE-2023-40546 shim-signed < 15.8CVE-2023-40547 shim-signed < 15.8CVE-2023-40548 shim-signed < 15.8CVE-2023-40549 shim-signed < 15.8CVE-2023-40550 shim-signed < 15.8CVE-2023-40551 shim-signed < 15.8 | 16:17 |
| -ubottu:#ubuntu-security- A flaw was found in Shim when an error happened while creating a new ESL variable. If Shim fails to create the new variable, it tries to print an error message to the user; however, the number of parameters used by the logging function doesn't match the format string used by it, leading to a crash under certain circumstances. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40546> | 16:17 | |
| -ubottu:#ubuntu-security- A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot p... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40547> | 16:17 | |
| -ubottu:#ubuntu-security- A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity ... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40548> | 16:17 | |
| -ubottu:#ubuntu-security- An out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an attacker to load a crafted PE binary, triggering the issue and crashing Shim, resulting in a denial of service. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40549> | 16:17 | |
| -ubottu:#ubuntu-security- An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's boot phase. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40550> | 16:17 | |
| -ubottu:#ubuntu-security- A flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40551> | 16:17 | |
| popey | sorry mr bot | 16:17 |
| mdeslaur | https://git.launchpad.net/ubuntu-cve-tracker/commit/?id=20f316be9ad7db4696f7e2ef58953b42f3c943d7 | 16:18 |
| -ubottu:#ubuntu-security- Commit 20f316b in ubuntu-cve-tracker "fixed more shim-signed wrong versions HEAD master" | 16:18 | |
| popey | Yay! Thanks! | 16:19 |
| mdeslaur | np :) | 16:19 |
| === TooManyHats96 is now known as TooManyHats95 | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!