#1071276 Is 1:1.2.13.dfsg-1 affected by CVE-2023-45853, and if it is, will 1:1.3.dfsg-3.1 be backported to bookworm?

#1071276#5
Date:
2024-05-17 14:43:26 UTC
From:
To:
Related bug reports:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054290
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056718

These were marked as resolved but it seems like I'm getting some
contradictory information.

- The zlib package page https://tracker.debian.org/pkg/zlib says that
CVE-2023-45853 <https://security-tracker.debian.org/tracker/CVE-2023-45853>
is ignored, what is the basis for ignoring this CVE?
- Is there a plan to backport zlib 1:1.3.dfsg-3.1 to bookworm? It looks
like it's currently in trixie

The maintainer of zlib said this in a comment
https://github.com/madler/zlib/pull/843#issuecomment-2050417533
https://security-tracker.debian.org/tracker/CVE-2023-45853 , that
incorrectly marks 1:1.2.13.dfsg-1 as vulnerable, when in fact it has no
minizip code in it whatsoever. (I verified that by downloading it and
listing the external symbols in the .so file.) I managed to reach someone
at debian.org who seems to be in control of that page, but instead of
fixing the page, they defended it, even though it's wrong.

Can a Debian maintainer elaborate on this? Do the Debian maintainers feel
like this version of zlib is vulnerable or not?

If the Debian maintainers could confirm that this is not a real
vulnerability, maybe then we can get trivy to stop flagging this as a
critical vulnerability in their scan. This is a rather big problem because
a lot of images use Debian (bookworm specifically) and a lot of base images
(e.g. nginx) are getting flagged for this.

Thanks,

- J

#1071276#10
Date:
2024-05-17 14:54:24 UTC
From:
To:
Please direct any questions about security updates to the security team.
#1071276#15
Date:
2024-05-17 14:54:24 UTC
From:
To:
Please direct any questions about security updates to the security team.
#1071276#20
Date:
2024-05-17 14:56:53 UTC
From:
To:
Hi Mark,

How do I get in contact with them, should I just send a message to
security@debian.org?

Thanks,
- J

#1071276#25
Date:
2024-05-17 14:56:53 UTC
From:
To:
Hi Mark,

How do I get in contact with them, should I just send a message to
security@debian.org?

Thanks,
- J

#1071276#30
Date:
2024-05-17 15:06:35 UTC
From:
To:
Yes.
#1071276#35
Date:
2024-05-17 15:06:35 UTC
From:
To:
Yes.
#1071276#40
Date:
2024-05-17 16:08:40 UTC
From:
To:
Hi,

Again, the notes explain the tracking; The zlib is *source* in the
security-tracker not the binary package produced. Thus the entry reads
as:

        - zlib 1:1.3.dfsg-2 (bug #1054290)
        [bookworm] - zlib <ignored> (contrib/minizip not built and producing binary packages)
        [bullseye] - zlib <ignored> (contrib/minizip not built and producing binary packages)
        [buster] - zlib <ignored> (contrib/minizip not built and producing binary packages)

is there in the wording which you think needs improvement?

Why does your security-scanner not consider the information gathered
by the security-tracker including the 'ignored' state there? Can you
bring that to your vendor of the security scanner?

Regards,
Salvatore

#1071276#45
Date:
2024-05-17 20:01:56 UTC
From:
To:
This report came from a free tool, trivy, I filed a Github discussion about
it here: https://github.com/aquasecurity/trivy/discussions/6722

On Fri, May 17, 2024 at 12:08 PM Salvatore Bonaccorso <carnil@debian.org> wrote:

#1071276#50
Date:
2024-05-18 09:03:36 UTC
From:
To:
Hi John,

So to add some additional datapoint: The issue araises here by maybe
thinking zlib refers to the binary package produced. It is correct,
for the binary package zlib then indeed you would not be vulnerable.

Let me as well elaborate on the "ingored". This comes as the binary
packages built from the *vulnerable* source, there is no point to
force an update in bookworm and older.

I hope this all get a better picture now on the CVE. If you still have
questions feel free to ask.

Regards,
Salvatore

#1071276#55
Date:
2024-05-22 13:56:09 UTC
From:
To:
Hello,

I got a response from trivy,
https://github.com/aquasecurity/trivy/discussions/6722#discussioncomment-9518531
.
packages)
------------------------------
<https://aquasecurity.github.io/trivy/v0.51/docs/supply-chain/vex/>.

I'll call out these particular points,

It sounds like this is some kind of incompatibility between how trivy
conceptualizes CVEs vs how Debian conceptualizes CVEs, plus a terminology
problem on the meaning of "ignored" (won't fix vs is not affected)

- Would you consider marking the vulnerability as "not_affected" instead of
"ignored"? Or does the Debian CVE tracking system not support that?

- I would agree that " [bookworm] - zlib (contrib/minizip not built and
producing binary packages)" doesn't have a standard format, but is there no
other viable way for a scanner to pick up on the CVE being ignored?

- Do you have docs to show what method should be used to properly handle
this issue being marked as "ignored"? Do you have any sample code / script
snippets you can share with me? Maybe I can submit a PR?

Maybe there is some way for trivy to notice that the issue is "ignored" and
then, for only Debian, interpret that as not_affected.

- John

On Sat, May 18, 2024 at 5:03 AM Salvatore Bonaccorso <carnil@debian.org> wrote:

#1071276#60
Date:
2024-05-24 17:57:01 UTC
From:
To:
Hello,

I was thinking about this a bit more and I had a question,
packages built from the *vulnerable* source, there is no point to force an
update in bookworm and older.

It sounds like Debian uses the "ignored" state to mean "this bug does not
affect the Debian package".

Is there another state that's used to indicate "won't fix"? Can we assume
that "ignored" always means "won't fix"? Or can "ignored" mean either thing
and we'd have to look in the notes to know for sure?

Thanks,
- J

#1071276#65
Date:
2024-05-24 19:39:44 UTC
From:
To:
Hi John,

Thanks for the query.
https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory
explains how <ignored> is to be interpreted when encountered. I think
security-scanner encountering it can classify it accordingly so that
no flag is raised.

Hope that helps,

Regards,
Salvatore