nix-security-tracker icon indicating copy to clipboard operation
nix-security-tracker copied to clipboard

Published 20 hours ago verified publisher icon Nix-Security-WG

False positive: w3m via nixos-help

Open raboof opened this issue 1 year ago • 0 comments

Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/cbe45b19d4b97520173c48defa4c6747156d6dcf, it reports CVE-2023-38253 in w3m.

While this looks like a legitimate DoS vulnerability when w3m is used with untrusted HTML sites, it is not applicable here: the w3m dependency comes in via nixos-help:

/nix/store/39j31iqf9qw9b77hn3vyc1r9rdqdmd8y-nixos-system-nixos-23.11.20231119.e4ad989
└───/nix/store/psjpf3p5bbfn8yly67asc6nh6hi9f6ah-system-path
    └───/nix/store/vg9846qpcr0m338gvk6v9igdaxfkdvsa-nixos-help
        └───/nix/store/qddj49x0v8xj13cj979n3lr8akjxby5c-nixos-help
            └───/nix/store/gi9nf0pr687nm2d6pbabic9h0qxh9jma-w3m-0.5.3+git20230121

So w3m is used to browse nixos-help here if no other browser is found. While in theory nixos-help may have outbound links that might not be trusted, or the user could use nixos-help to enter w3m and then visit random URLs, but that seems unlikely.

We might want to either:

  • Make sure this issue is reported with severity 'low' in this context
  • Suppress the advisory entirely in this context.

For the first solution: the issue carries two severity ratings: a Low rating based on https://access.redhat.com/security/updates/classification/ , and a MEDIUM CVSS score. These kinds of nuances are hard to encode into CVSS. We could:

  • choose to follow RedHat severity ratings over CVSS scores
  • 'override' the severity level of CVE-2023-38253 to 'low' (in a Nix-specific text rating provided by the online tool) in general. This would require the online tool to provide updated severity ratings for advisories (#32).
  • 'override' the severity level of CVE-2023-38253 to 'low' (in a Nix-specific text rating provided by the online tool) only in this context. This would require the online tool to provide updated severity ratings for CVEs taking into account context (#33).

For the second solution: This would require the online tool to provide updated severity ratings for CVEs taking into account context (#33).

raboof avatar Nov 23 '23 17:11 raboof