Debian Bookworm CVE-2023-45853 in zlib 1:1.2.13.dfsg-1 has been marked as ignored, but trivy still shows it as a vulnerability #6722
Replies: 5 comments 2 replies
-
|
Helllo @superlazyname As you can see - we marked this vulnerability as
It seems that Trivy supports VEX. Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
-
|
To follow this important discussion... |
Beta Was this translation helpful? Give feedback.
-
Is it important? Why? I don't have mind reading powers so I can't really guess as to what the trivy developers or aqua security's goals are with their product, but whatever outcome they wanted, what they shipped was an easy simplification over the very complex, very judgment call heavy topic of vulnerabilities and how they are handled. Like it or not you have to trust the developers to take vulnerabilities seriously. No tool (not even trivy) can actually go into the package source code and say how well something's been fixed, or if they really fixed it in a good way, so there's no avoiding the trust you must put in the people actually doing the work (whether that work is the actual zlib developers or the distro maintainers at Debian). I'm not saying I agree with how Debian marked this as "ignored" instead of "not affected". If I were them I would have marked it as "not affected", but if the people doing the actual work want to say "this is how we get our job done", and they are an independent project, does trivy have the right to step in and impose a strategy for handling vulnerabilities? If so, why? Is it really better to have a tool that handles every distro (and its different strategies and goals), or is it better to just hear it from Debian themselves? Nobody elected trivy as the manager of Linux, it just provided an easy solution for people looking for an easy solution (no matter how wrong or right it might be). We have to do better. So on one hand, yeah, maybe Debian could have classified this bug better. On the other hand, this may be the sort of squishy human judgement call that scanners like trivy just can't handle right now, and if they're not going to try, if they're going to pretend that security is a cut and dry mathematical formula (and not just a shaky tower of judgement calls from a lot of independent, thinking humans) then maybe it's time to re-evaluate their value-add. I hope in the long run the developers of this tool don't think security is this easy. Maybe scanners like trivy are "better than nothing", as in, people not noticing vulnerabilities at all and not paying attention, and maybe it feels objective to make a scanner like this, but in reality it's still imposing judgement calls and elevating certain organizations who are part of the ecosystem over others, I don't think we should fail to acknowledge that this is picking winners and losers. It's good to make people aware of problems, I don't know if you can do that without collaborating with the distros on a level beyond just how well some automated tools can parse information that wasn't meant for bots. |
Beta Was this translation helpful? Give feedback.
-
|
Hello everyone, I'm seeing a "CRITICAL" alert for the Extract of the output of the command
|
Beta Was this translation helpful? Give feedback.
-
|
Hello @yilas This is not false positive. |
Beta Was this translation helpful? Give feedback.
-
|
That is listed under the source packages, which includes the offending source code as part of the upstream archive. The binary package that gets installed does not have the offending code compiled in the zlib package. Their notes section details why this cve does not apply to the zlib binary package on debian. |
Beta Was this translation helpful? Give feedback.
-
|
Debian currently lacks the means to flag CVEs that are not in the binary packages as not affecting. I'm proposing a solution for this on the Debian side at https://lists.debian.org/debian-security/2024/08/msg00007.html Only after something like that is done, vulnerability scanners will be able to properly flag those cases as not affecting. |
Beta Was this translation helpful? Give feedback.
-
IDs
CVE-2023-45853
Description
This is related to this bug report https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071276
Here's some additional context from the Debian maintainers in that bug report
It seems like trivy is not picking up on the CVE being ignored.
Related bug reports:
Semi-related PR from zlib repository: madler/zlib#843 (comment) -- I think the information from this comment is outdated now, though, since the Debian tracker marked this issue as "ignored".
Trivy shows the Debian security tracker as its source. Maybe there's an extra field in the REST API's response that trivy isn't handling, that would indicate that an issue has been ignored?
{ "VulnerabilityID": "CVE-2023-45853", "PkgID": "zlib1g@1:1.2.13.dfsg-1", "PkgName": "zlib1g", "PkgIdentifier": { "PURL": "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64\u0026distro=debian-12.5\u0026epoch=1", "UID": "e9d44d22e6be4ccf" }, "InstalledVersion": "1:1.2.13.dfsg-1", "Status": "will_not_fix", "Layer": { "Digest": "sha256:c6cf28de8a067787ee0d08f8b01d7f1566a508b56f6e549687b41dfd375f12c7", "DiffID": "sha256:bbe1a212f7e9f1baaef62491a51254f3adda514c22632ea719f62713fad80f77" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-45853", "DataSource": { "ID": "debian", "Name": "Debian Security Tracker", "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" }, "Title": "zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6", "Description": "MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.", "Severity": "CRITICAL", "CweIDs": [ "CWE-190" ], "VendorSeverity": { "amazon": 2, "cbl-mariner": 4, "ghsa": 4, "nvd": 4, "photon": 4, "redhat": 2, "ubuntu": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "V3Score": 9.8 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "V3Score": 9.8 }, "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "V3Score": 5.3 } }, "References": [ "http://www.openwall.com/lists/oss-security/2023/10/20/9", "http://www.openwall.com/lists/oss-security/2024/01/24/10", "https://access.redhat.com/security/cve/CVE-2023-45853", "https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356", "https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4", "https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c", "https://github.com/madler/zlib/pull/843", "https://github.com/smihica/pyminizip", "https://github.com/smihica/pyminizip/blob/master/zlib-1.2.11/contrib/minizip/zip.c", "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "https://nvd.nist.gov/vuln/detail/CVE-2023-45853", "https://pypi.org/project/pyminizip/#history", "https://security.gentoo.org/glsa/202401-18", "https://security.netapp.com/advisory/ntap-20231130-0009", "https://security.netapp.com/advisory/ntap-20231130-0009/", "https://www.cve.org/CVERecord?id=CVE-2023-45853", "https://www.winimage.com/zLibDll/minizip.html" ], "PublishedDate": "2023-10-14T02:15:09.323Z", "LastModifiedDate": "2024-01-24T21:15:08.623Z" }Similar discussions (not the same issue):
Reproduction Steps
Target
Container Image
Scanner
Vulnerability
Target OS
debian:bookworm
Debug Output
Version
Checklist
-f jsonthat shows data sources and confirmed that the security advisory in data sources was correctBeta Was this translation helpful? Give feedback.
All reactions