| 27 Oct 2023 |
 hexa | open-vm-tools
https://www.openwall.com/lists/oss-security/2023/10/27/1
https://www.openwall.com/lists/oss-security/2023/10/27/2 | 10:52:49 |
 raboof | https://www.cve.org/CVERecord?id=CVE-2023-46604 | 15:11:17 |
| hexa | In reply to @raboof:matrix.org
https://www.cve.org/CVERecord?id=CVE-2023-46604 https://github.com/NixOS/nixpkgs/pull/263804 | 15:12:35 |
| 29 Oct 2023 |
|  zzywysm joined the room. | 00:08:43 |
 ris_ | libsass has 3 unfixed vulnerabilities https://nvd.nist.gov/vuln/detail/CVE-2022-26592 https://nvd.nist.gov/vuln/detail/CVE-2022-43357 https://nvd.nist.gov/vuln/detail/CVE-2022-43358. they're all stack overflows, so likely not more than a DoS. but upstream states that libsass is deprecated & unmaintained, so that makes me feel we should knownVulnerabilities them - but it would break a number of packages | 14:25:11 |
| hexa | "break" | 14:26:59 |
| hexa | I get your point, but I think setting meta.knownVulnerabilities is the correct move and then users can decide to allow it | 14:28:05 |
| ris_ | yeah i guess my only hesitation is how knownVulnerabilities puts dependent packages off our radar for spotting further breakages (via hydra and nixpkgs-review), which can be a death sentence | 14:35:14 |
| hexa | if noone cares for them (upstream and/or downstream) that is a reasonable outcome | 14:36:14 |
| hexa | I think best case we can ping every maintainer of affected packages, and make sure they take this upstream | 14:36:43 |
| ris_ | or remove the dependency if it's trivial/optional | 14:38:52 |
| ris_ | of course, npm packages will be bundling it for years to come | 14:39:15 |
| ris_ | gtk3 and gtk4 depend on saasc :) | 15:26:36 |
| ris_ | it's not clear if libsass has any existing mechanism to limit stack depth | 15:29:49 |
| ris_ | aha https://github.com/sass/libsass/blob/2102188d21d2b7577c2b3edb12832e90786a2831/src/eval.cpp#L961 | 15:31:11 |
| ris_ | looks like the problem is it's building a circular reference during the parse phase and then recursing into that via the has_real_parent_ref methods | 18:12:49 |
| ris_ | i think the reference cycle gets completed at https://github.com/sass/libsass/blob/2102188d21d2b7577c2b3edb12832e90786a2831/src/ast_selectors.cpp#L1032 | 18:35:06 |
| ris_ | in other news i think we're going to have to mark freeimage as vulnerable to a bunch of things too | 19:18:22 |
|  SomeoneSerge (matrix works sometimes) changed their display name from SomeoneSerge (UTC+1) to SomeoneSerge (UTC+2). | 22:41:25 |
| 30 Oct 2023 |
| zzywysm set a profile picture. | 14:27:04 |
|  toonn changed their profile picture. | 19:51:20 |
| 31 Oct 2023 |
| ris_ | what do people think about https://github.com/NixOS/nixpkgs/pull/264226 and marking it with knownVulnerabilities (and by extension hylafax+) | 21:55:16 |
| 1 Nov 2023 |
|  cafkafk left the room. | 10:41:33 |
| hexa | https://www.djangoproject.com/weblog/2023/nov/01/security-releases/ will take care of that in a bit | 12:39:51 |
|  @arcayr:rascals.net joined the room. | 17:52:38 |
| hexa | oh well | 23:41:45 |
| hexa |
CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows
| 23:41:47 |
 raitobezarius | you don't know if someone is cross compiling to Windows | 23:42:24 |
| raitobezarius | (sorry I wanted to mention it before but I thought you were accounting for that case) | 23:42:36 |
| hexa | I'm bumping it, but its much less urgent due to that | 23:42:57 |
