[10:11] <mpiano> ebarretto: hello, we are again in the same boat as last week, the OVAL CVE data was last updated on 2024-11-02T00:37:02
[10:16] <ebarretto> mpiano: yep, I triggered a manual build an hour ago and it is in the last steps 
[10:18] <mpiano> thanks for the context, I'll keep monitoring the situation on our side then
=== sespiros_ is now known as sespiros
[15:24] <popey> Good day. CVE-2023-40548 looks to have a version error in it. It mentions "Fixed 15.8-0ubuntu1" but the actual version is "1.58+15.8-0ubuntu1". Should the version in the CVE not match the deb package version, not the Microsoft upstream shim version? https://ubuntu.com/security/CVE-2023-40548
[15:24] -ubottu:#ubuntu-security- A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity ... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40548>
[15:24] <popey> We have an issue for this (with discussion) on our vulnerability data. https://github.com/anchore/vulnerability-match-exclusion-database/issues/229
[15:25] <mdeslaur> hi popey!
[15:25] <mdeslaur> one sec, let me check
[15:26] <mdeslaur> popey: the source package version seems to be 15.8-0ubuntu1 https://launchpad.net/ubuntu/+source/shim
[15:26] <mdeslaur> where are you seeing 1.58+15.8-0ubuntu1?
[15:27] <mdeslaur> I can't access that github link
[15:27] <popey> https://launchpad.net/ubuntu/+source/shim-signed
[15:27] <popey> oh, sorry.
[15:28] <mdeslaur> this is one of those idiotic debian packaging particularities...the source package doesn't have the same version as the binary packages
[15:28] <mdeslaur> the source package is in fact versioned as 1.58, while the binary packages do in fact seem to be versioned as 1.58+15.8-0ubuntu1
[15:29] <popey> Oh dear. 
[15:29] <popey> Ok, thanks for looking.
[15:29] <mdeslaur> we track source packages in our cve tracker
[15:29] <mdeslaur> so, your tooling may need to be modified to handle this type of weird case, unfortunately
[15:30] <popey> .oO( I wonder how many of these weird cases there are )
[15:31] <mdeslaur> I've seen it perhaps 2-3 times that I can remember, definitely not common
[15:31] <popey> I think we do try to get the source version in Grype, but it depends on the available metadata in the analysis
[15:31] <popey> Ok. Thank you.
[15:32] <mdeslaur> np!
[16:11] <popey> mdeslaur sorry - if 1.58 (as you say) is the source version, why does the CVE tracker show 15.8 for both shim and shim-signed? https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-40548#n62
[16:11] -ubottu:#ubuntu-security- A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity ... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40548>
[16:12] <mdeslaur> popey: those are two different source packages
[16:12] <mdeslaur> popey: and they are versioned like that
[16:12] <mdeslaur> https://launchpad.net/ubuntu/+source/shim
[16:12] <mdeslaur> https://launchpad.net/ubuntu/+source/shim-signed
[16:12] <mdeslaur> one sec, let me look again
[16:13] <mdeslaur> oh you are totally right
[16:13] <mdeslaur> my bad
[16:13] <popey> Que? One is 1.59 (1.58 in LTS) and the other is 15.8. The shim-signed is 1.58 but in the CVE it's 15.8
[16:13] <mdeslaur> one sec, I'll fix
[16:15] <mdeslaur> popey: https://git.launchpad.net/ubuntu-cve-tracker/commit/?id=c758006a7f9b00d92ce91c1aa4c3e07e7a3fe2e7
[16:15] -ubottu:#ubuntu-security- Commit c758006 in ubuntu-cve-tracker "fix wrong versioning in shim-signed CVE HEAD master"
[16:15] <mdeslaur> sorry for the confusion
[16:16] <popey> Nice one. There may be more... :) 
[16:16] <mdeslaur> also, where are my glasses?
[16:16] <mdeslaur> yeah, there are more, let me search for the others
[16:16] <popey> I would post an 'old age' skull emoji, but we're on irc. So y'know.
[16:17] <popey> CVE-2023-40546  shim-signed   < 15.8CVE-2023-40547  shim-signed   < 15.8CVE-2023-40548  shim-signed   < 15.8CVE-2023-40549  shim-signed   < 15.8CVE-2023-40550  shim-signed   < 15.8CVE-2023-40551  shim-signed   < 15.8
[16:17] -ubottu:#ubuntu-security- A flaw was found in Shim when an error happened while creating a new ESL variable. If Shim fails to create the new variable, it tries to print an error message to the user; however, the number of parameters used by the logging function doesn't match the format string used by it, leading to a crash under certain circumstances. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40546>
[16:17] -ubottu:#ubuntu-security- A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot p... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40547>
[16:17] -ubottu:#ubuntu-security- A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity ... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40548>
[16:17] -ubottu:#ubuntu-security- An out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an attacker to load a crafted PE binary, triggering the issue and crashing Shim, resulting in a denial of service. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40549>
[16:17] -ubottu:#ubuntu-security- An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's boot phase. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40550>
[16:17] -ubottu:#ubuntu-security- A flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40551>
[16:17] <popey> sorry mr bot
[16:18] <mdeslaur> https://git.launchpad.net/ubuntu-cve-tracker/commit/?id=20f316be9ad7db4696f7e2ef58953b42f3c943d7
[16:18] -ubottu:#ubuntu-security- Commit 20f316b in ubuntu-cve-tracker "fixed more shim-signed wrong versions HEAD master"
[16:19] <popey> Yay! Thanks! 
[16:19] <mdeslaur> np :)
=== TooManyHats96 is now known as TooManyHats95