Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive: w3m via nixos-help #22

Open
raboof opened this issue Nov 23, 2023 · 0 comments
Open

False positive: w3m via nixos-help #22

raboof opened this issue Nov 23, 2023 · 0 comments
Labels
false-positive

Comments

@raboof
Copy link
Collaborator

raboof commented Nov 23, 2023
edited
Loading

Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/cbe45b19d4b97520173c48defa4c6747156d6dcf, it reports CVE-2023-38253 in w3m.

While this looks like a legitimate DoS vulnerability when w3m is used with untrusted HTML sites, it is not applicable here: the w3m dependency comes in via nixos-help:

/nix/store/39j31iqf9qw9b77hn3vyc1r9rdqdmd8y-nixos-system-nixos-23.11.20231119.e4ad989
└───/nix/store/psjpf3p5bbfn8yly67asc6nh6hi9f6ah-system-path
    └───/nix/store/vg9846qpcr0m338gvk6v9igdaxfkdvsa-nixos-help
        └───/nix/store/qddj49x0v8xj13cj979n3lr8akjxby5c-nixos-help
            └───/nix/store/gi9nf0pr687nm2d6pbabic9h0qxh9jma-w3m-0.5.3+git20230121

So w3m is used to browse nixos-help here if no other browser is found. While in theory nixos-help may have outbound links that might not be trusted, or the user could use nixos-help to enter w3m and then visit random URLs, but that seems unlikely.

We might want to either:

  • Make sure this issue is reported with severity 'low' in this context
  • Suppress the advisory entirely in this context.

For the first solution: the issue carries two severity ratings: a Low rating based on https://access.redhat.com/security/updates/classification/ , and a MEDIUM CVSS score. These kinds of nuances are hard to encode into CVSS. We could:

For the second solution: This would require the online tool to provide updated severity ratings for CVEs taking into account context (#33).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
false-positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@raboof