Hi,

I've prepared some docker image based on Debian 12 (bookworm, fully
updated) and after upload it to local registry it has been automatically scanned for possible vulnerabilities.
Then I was really surprised when discovered that according to this scan
there are 139 security vulnerabilities and 2 of them are CRITICAL (!).
I've started to dig further to find out what's going on there.

First critical on the list is "zlib1g" binary Debian package which is a
part of (a result) of wider package "zlib":

https://tracker.debian.org/pkg/zlib

According to this information (link below), this package is still
vulnerable in bookworm and marked as "(no-DSA, ignored)":

https://security-tracker.debian.org/tracker/source-package/zlib

But according to this (link below), that may be the case "if its
severity is minor":

https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory

But it seams this is CRITICAL issue (with score 9.8 in one of its three
parts):

https://www.cvedetails.com/cve/CVE-2023-45853/

Why it is not fixed in bookworm? Or maybe where I misunderstand
something from these information above?

Similar problem in second critical on the list: package "libaom3" which
is a binary package from "aom":

https://tracker.debian.org/pkg/aom

https://security-tracker.debian.org/tracker/source-package/aom

https://www.cvedetails.com/cve/CVE-2023-6879/

Please help me to understand :-)

Best regards,
Rafal

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format.
On 29.01.2025 1:57 PM, David wrote:

How does your "automatically scanned for possible vulnerabilites"
actually work?

I don't know, but it does not matter in that context. The fact is, that
the result of this "magic scan" properly found and points out the real
critical security vulnerabilities in bookworm which are not fixed. Am I
wrong? Please correct me then.

Because Debian does backport security fixes, so simply checking the
version number of the software does not indicate if the vulnerability
has been fixed in Debian, or not.

I know, but it seems (at least for me)  it's not the case this time (?)
I hope I am wrong, so please help to to understand.
Could you please send some link which says "yeah, it's fixed in bookworm"?
I cannot find it.

On the other hand there is nothing in package change log about this CVSS:

https://metadata.ftp-master.debian.org/changelogs//main/z/zlib/zlib_1.2.13.dfsg-1_changelog


<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 29.01.2025 1:57 PM, David wrote:<span
style="white-space: pre-wrap">
</span></div>
<blockquote type="cite" cite="mid:CAMPXz=oThjCF=XZW4QsA=1K=9L1c0uS+WYApVPieC_2rVt3MkQ@mail.gmail.com">
<pre wrap="" class="moz-quote-pre">How does your "automatically scanned for possible vulnerabilites"
actually work?</pre>
</blockquote>
<p>I don't know, but it does not matter in that context. The fact
is, that the result of this "magic scan" properly found and points
out the real critical security vulnerabilities in bookworm which
are not fixed. Am I wrong? Please correct me then.</p>
<p><span style="white-space: pre-wrap">
</span><span style="white-space: pre-wrap">
</span></p>
<blockquote type="cite" cite="mid:CAMPXz=oThjCF=XZW4QsA=1K=9L1c0uS+WYApVPieC_2rVt3MkQ@mail.gmail.com">
<pre wrap="" class="moz-quote-pre">Because Debian does backport security fixes, so simply checking the
version number of the software does not indicate if the vulnerability
has been fixed in Debian, or not.</pre>
</blockquote>
<p>I know, but it seems (at least for me)  it's not the case this
time (?)<br>
I hope I am wrong, so please help to to understand.<br>
Could you please send some link which says "yeah, it's fixed in
bookworm"?<br>
I cannot find it.</p>
<p>On the other hand there is nothing in package change log about
this CVSS:</p>
<p><a class="moz-txt-link-freetext" href="https://metadata.ftp-master.debian.org/changelogs//main/z/zlib/zlib_1.2.13.dfsg-1_changelog">https://metadata.ftp-master.debian.org/changelogs//main/z/zlib/zlib_1.2.13.dfsg-1_changelog</a></p>
<br>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Rafał Lichwała wrote:

Hi,

I've prepared some docker image based on Debian 12 (bookworm, fully updated) and after upload it to local registry it has been automatically scanned for possible vulnerabilities.
Then I was really surprised when discovered that according to this scan
there are 139 security vulnerabilities and 2 of them are CRITICAL (!).
I've started to dig further to find out what's going on there.

First critical on the list is "zlib1g" binary Debian package which is a part of (a result) of wider package "zlib":

https://tracker.debian.org/pkg/zlib

The notes say:

[bookworm] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages)

In other words, there's no point in fixing it because Debian
doesn't build the vulnerable binary component.

Very low priority.

But it seams this is CRITICAL issue (with score 9.8 in one of its three parts):

https://www.cvedetails.com/cve/CVE-2023-45853/

CVSS are often bogus.

Similar problem in second critical on the list: package "libaom3" which is a binary package from "aom":

https://security-tracker.debian.org/tracker/source-package/aom

It could crash on invalid input. That's minor. It could crash on
invalid input. Also minor. It could potentially be used to
execute code in the privilege of the user running the software,
which is bad, but it appears to only exist in Android, so Debian
thinks it is not interesting.

-dsr-

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format.
On 29.01.2025 2:12 PM, Dan Ritter wrote:

The notes say:

[bookworm] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages)

In other words, there's no point in fixing it because Debian
doesn't build the vulnerable binary component.

Very low priority.

Could you please drop a link to those notes?

If CVSS is "critical" and Debian tracking system says "bookworm -
vulnerable", so why it has low priority?

Maybe I just don;t understand the process of this "Debian doesn't build
the vulnerable binary component", so please clarify in more details.

CVSS are often bogus.

Hmmm... I'm not sure what you mean. All security announcements in DSAs
are referring to CVSS, so... what's the source of such opinion?

Similar problem in second critical on the list: package "libaom3" which is a >> binary package from "aom":

https://security-tracker.debian.org/tracker/source-package/aom

It could crash on invalid input. That's minor. It could crash on
invalid input. Also minor. It could potentially be used to
execute code in the privilege of the user running the software,
which is bad, but it appears to only exist in Android, so Debian
thinks it is not interesting.

Also a bit enigmatic explanation for me...
CVSS says: critical 9.8
Debian says: yes, bookworm is vulnerable

You say: minor, minor, it appears to only exist in Android

Really? :-)


<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 29.01.2025 2:12 PM, Dan Ritter
wrote:<span style="white-space: pre-wrap">
</span></div>
<blockquote type="cite"
cite="mid:20250129131244.o7vk6edu257bu5x3@randomstring.org">
<pre wrap="" class="moz-quote-pre">The notes say:

[bookworm] - zlib &lt;ignored&gt; (contrib/minizip not built and src:zlib not producing binary packages)

In other words, there's no point in fixing it because Debian
doesn't build the vulnerable binary component.

Very low priority.</pre>
</blockquote>
<p>Could you please drop a link to those notes?</p>
<p>If CVSS is "critical" and Debian tracking system says "bookworm -
vulnerable", so why it has low priority?</p>
<p>Maybe I just don;t understand the process of this "Debian doesn't
build the vulnerable binary component", so please clarify in more
details.</p>
<p><span style="white-space: pre-wrap">
</span><span style="white-space: pre-wrap">
</span></p>
<blockquote type="cite"
cite="mid:20250129131244.o7vk6edu257bu5x3@randomstring.org">
<pre wrap="" class="moz-quote-pre">CVSS are often bogus. </pre>
</blockquote>
<p>Hmmm... I'm not sure what you mean. All security announcements in
DSAs are referring to CVSS, so... what's the source of such
opinion?</p>
<p><span style="white-space: pre-wrap">
</span></p>
<blockquote type="cite"
cite="mid:20250129131244.o7vk6edu257bu5x3@randomstring.org">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">Similar problem in second critical on the list: package "libaom3" which is a
binary package from "aom":

<a class="moz-txt-link-freetext" href="https://security-tracker.debian.org/tracker/source-package/aom">https://security-tracker.debian.org/tracker/source-package/aom</a>
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
It could crash on invalid input. That's minor. It could crash on
invalid input. Also minor. It could potentially be used to
execute code in the privilege of the user running the software,
which is bad, but it appears to only exist in Android, so Debian
thinks it is not interesting.</pre>
</blockquote>
Also a bit enigmatic explanation for me...<br>
CVSS says: critical 9.8<br>
Debian says: yes, bookworm is vulnerable<br>
<p>You say: minor, minor, it appears to only exist in Android</p>
<p>Really? :-)</p>
<br>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Rafał!

On Wed, 29 Jan 2025, Rafał Lichwała wrote:

On 29.01.2025 1:57 PM, David wrote:

How does your "automatically scanned for possible vulnerabilites"
actually work?

I don't know, but it does not matter in that context.

It does matter because you have to interpret the output of your
scanner and understand it.

The fact is, that the
result of this "magic scan" properly found and points out the real critical security vulnerabilities in bookworm which are not fixed. Am I wrong? Please correct me then.

This strange scanner found a CVE attached to minizip. minizip is part
of zlib, but not supported. therefore, for debian it is no reason to
provide a security fix since program (minizip) is not supported by the
package zlib itself.

if you use such scanner, _you_ have to understand the output of the
scanner, the CVE itself _and_ the impact on _your_ system. the scanner
can only check a version number against a CVE. but what it means _in
your situation_ is your responsibility, not debians, not the scanners.

best regards, Hanno Wagner
--
| Hanno Wagner | Member of the HTML Writers Guild | Rince@IRC |
| Eine gewerbliche Nutzung meiner Email-Adressen ist nicht gestattet! |
| 74 a3 53 cc 0b 19 - we did it! | Generation @ |
#DAU at work, Real Life Cuts (Teil 21):
#"Ich war ja auch mal Kunde bei PROTEL."

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Rafał Lichwała wrote:

On 29.01.2025 2:12 PM, Dan Ritter wrote:

The notes say:

[bookworm] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages)

In other words, there's no point in fixing it because Debian
doesn't build the vulnerable binary component.

Very low priority.

Could you please drop a link to those notes?

It's in the links that you sent.

If CVSS is "critical" and Debian tracking system says "bookworm - vulnerable", so why it has low priority?

Maybe I just don;t understand the process of this "Debian doesn't build the vulnerable binary component", so please clarify in more details.

CVSS are often bogus.

Hmmm... I'm not sure what you mean. All security announcements in DSAs are referring to CVSS, so... what's the source of such opinion?

Most recently: https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/

You say: minor, minor, it appears to only exist in Android

Really? :-)

I read the notes. You sent the links, you should read them.

-dsr-

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format.
On 29.01.2025 2:39 PM, Hanno 'Rince' Wagner wrote:

How does your "automatically scanned for possible vulnerabilites"
actually work?

I don't know, but it does not matter in that context.

It does matter because you have to interpret the output of your
scanner and understand it.

Well, not really what I meant in previous sentence.

It does not matter "how does scanner *actually work*" (what sources it
gets, what filters it applies etc.), but I have to properly interpret
it's output - that's true.

So, I thought those two critical alarms are just false-alarms because
they are already fixed in Debian (as usually, in normal security fixes, backports or whatever) - even if that's not reflected in the package
main version number - so I can easily find an information about that on
Debian pages. But I can't find it - worse - I found a confirmation that bookworm is vulnerable.

So now I suppose I just don't fully understand those information I
found, so that's why I ask you guys for help on this Debian user mailing
list.

This strange scanner found a CVE attached to minizip. minizip is part
of zlib, but not supported. therefore, for debian it is no reason to
provide a security fix since program (minizip) is not supported by the package zlib itself.

No. "Strange scanner" says that vulnerability is in "zlib1g" package
(not minizip).

Based on that (described it in my first post) I found it's a Debian
binary package from zlib which is vulnerable in bookworm. And that was
surprise - that's it.

if you use such scanner, _you_ have to understand the output of the
scanner, the CVE itself _and_ the impact on _your_ system. the scanner
can only check a version number against a CVE. but what it means _in
your situation_ is your responsibility, not debians, not the scanners.

Yes. But I'm not asking for "responsibility", but a bit more explanation without blaming anyone.

I'm not asking: "who is responsible for that, this package is not fixed?"
I'm kindly asking "Is that true, that this package is still vulnerable
in bookworm? If not - please explain me how to properly read all this information on Debian pages".

Anyway - thank you.

Best regards,

Rafal


<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 29.01.2025 2:39 PM, Hanno 'Rince'
Wagner wrote:<br>
</div>
<blockquote type="cite" cite="mid:Z5ovd78fu8UKSdc0@mail">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">How does your "automatically scanned for possible vulnerabilites"
actually work?
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
I don't know, but it does not matter in that context.
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
It does matter because you have to interpret the output of your
scanner and understand it.</pre>
</blockquote>
Well, not really what I meant in previous sentence.<br>
<p>It does not matter "how does scanner *actually work*" (what
sources it gets, what filters it applies etc.), but I have to
properly interpret it's output - that's true.<br>
</p>
<p>So, I thought those two critical alarms are just false-alarms
because they are already fixed in Debian (as usually, in normal
security fixes, backports or whatever) - even if that's not
reflected in the package main version number - so I can easily
find an information about that on Debian pages. But I can't find
it - worse - I found a confirmation that bookworm is vulnerable.</p>
<p>So now I suppose I just don't fully understand those information
I found, so that's why I ask you guys for help on this Debian user
mailing list.<br>
</p>
<p><span style="white-space: pre-wrap">
</span></p>
<blockquote type="cite" cite="mid:Z5ovd78fu8UKSdc0@mail">
<pre wrap="" class="moz-quote-pre">This strange scanner found a CVE attached to minizip. minizip is part
of zlib, but not supported. therefore, for debian it is no reason to
provide a security fix since program (minizip) is not supported by the
package zlib itself.</pre>
</blockquote>
<p>No. "Strange scanner" says that vulnerability is in "zlib1g"
package (not minizip).</p>
<p>Based on that (described it in my first post) I found it's a
Debian binary package from zlib which is vulnerable in bookworm.
And that was surprise - that's it.<span
style="white-space: pre-wrap">
</span></p>
<blockquote type="cite" cite="mid:Z5ovd78fu8UKSdc0@mail">
<pre wrap="" class="moz-quote-pre">if you use such scanner, _you_ have to understand the output of the
scanner, the CVE itself _and_ the impact on _your_ system. the scanner
can only check a version number against a CVE. but what it means _in
your situation_ is your responsibility, not debians, not the scanners.</pre>
</blockquote>
<p>Yes. But I'm not asking for "responsibility", but a bit more
explanation without blaming anyone.</p>
<p>I'm not asking: "who is responsible for that, this package is not
fixed?"<br>
I'm kindly asking "Is that true, that this package is still
vulnerable in bookworm? If not - please explain me how to properly
read all this information on Debian pages".</p>
<p>Anyway - thank you.</p>
Best regards,<br>
<p>Rafal</p>
<p><br>
</p>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jan 29, 2025 at 08:43:12AM -0500, Dan Ritter wrote:

Most recently: https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/

I was going to post a link to this very article when I saw that you
already had :-)

Regards,

-Roberto
--
Roberto C. Sánchez

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format.
On 29.01.2025 2:43 PM, Dan Ritter wrote:

CVSS are often bogus.

Hmmm... I'm not sure what you mean. All security announcements in DSAs are >> referring to CVSS, so... what's the source of such opinion?

Most recently:https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/

Yeah, another blog and opinion. Do we (debians) have some better
alternatives?

Are there plans to switch to other solution? Or maybe just discussion
about such switch?

You say: minor, minor, it appears to only exist in Android

Really? :-)

I read the notes. You sent the links, you should read them.

Another misunderstanding - sorry maybe that's my "language side-effect" ;-)

I sent the links, but it seems I don't fully understand them, so I ask
for explanation.

Then you cite some parts form that links in plain text, so I guess you understand them better and (again - I guess) you fully agree with those statements.
So could you please explain me what's wrong with my understanding?

Best regards,
Rafal


<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 29.01.2025 2:43 PM, Dan Ritter
wrote:<span style="white-space: pre-wrap">
</span><span style="white-space: pre-wrap">
</span></div>
<blockquote type="cite"
cite="mid:20250129134312.u2itd4fbz5ri5zrh@randomstring.org">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">CVSS are often bogus.
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
Hmmm... I'm not sure what you mean. All security announcements in DSAs are referring to CVSS, so... what's the source of such opinion?
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">

Most recently: <a class="moz-txt-link-freetext" href="https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/">https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/</a></pre>
</blockquote>
Yeah, another blog and opinion. Do we (debians) have some better
alternatives?<br>
<p>Are there plans to switch to other solution? Or maybe just
discussion about such switch?<br>
</p>
<p><span style="white-space: pre-wrap">
</span></p>
<blockquote type="cite"
cite="mid:20250129134312.u2itd4fbz5ri5zrh@randomstring.org">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">You say: minor, minor, it appears to only exist in Android

Really? :-)
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
I read the notes. You sent the links, you should read them.</pre>
</blockquote>
<p>Another misunderstanding - sorry maybe that's my "language
side-effect" ;-)</p>
<p>I sent the links, but it seems I don't fully understand them, so
I ask for explanation.</p>
<p>Then you cite some parts form that links in plain text, so I
guess you understand them better and (again - I guess) you fully
agree with those statements.<br>
So could you please explain me what's wrong with my understanding?</p>
<p>Best regards,<br>
Rafal</p>
<br>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jan 29, 2025 at 03:22:02PM +0100, Rafał Lichwała wrote:

On 29.01.2025 2:43 PM, Dan Ritter wrote:

CVSS are often bogus.

Hmmm... I'm not sure what you mean. All security announcements in DSAs are
referring to CVSS, so... what's the source of such opinion?

Most recently: [1]https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/

Did you actually read and understand the entire article?

Yeah, another blog and opinion.

A blog by the author of cURL. I would submit that his opinion is
extremely relevant, if for no other reason that there is hardly a more important/commonly used piece of network software out there.

Do we (debians) have some better
alternatives?

Yes, you read the CVE, you look at how the CVSS score was derived, you
adjust as need for your specific use case, and then you make a decision
based on that.

Are there plans to switch to other solution? Or maybe just discussion
about such switch?

Many alternatives are under discussion, but the industry is largely
driven by people who have a vested interested in making every
vulnerability seem as critical as possible. Then they can sell security scanning and remediation solutions for a lot of money. If every
vulnerability was basically "this might be a problem for 0.1% of users
and a minor problem at that" then they would have a hard time selling
their products and services.

You say: minor, minor, it appears to only exist in Android

Really? :-)

Yes, really, that's what the security tracker and related sources state.

I read the notes. You sent the links, you should read them.

Another misunderstanding - sorry maybe that's my "language side-effect"
;-)

I sent the links, but it seems I don't fully understand them, so I ask for
explanation.

Then you cite some parts form that links in plain text, so I guess you
understand them better and (again - I guess) you fully agree with those
statements.
So could you please explain me what's wrong with my understanding?

What is happening here is that Debian tracks this CVE as affecting its
zlib package because in theory someone could take the source of zlib and
modify it to produce the vulnerable binary. This is something that
people should know about, since taking and modifying/rebuilding Debian
source packages is rather common.

However, Debian itself does *not* build the affected component. So, it
makes no sense for Debian as a project to put limited effort into fixing
such a vulnerability.

If fixing it is important to you personally, then you are welcome to
figure out the patch or patches that apply, apply them, test the
resulting package, and the communicate with the security team and
release managers to have it included in the next stable point release
(which will probably be sometime in March).

Regards,

-Roberto

--
Roberto C. Sánchez

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Rafał,

On Wed, 29 Jan 2025, Rafał Lichwała wrote:

So now I suppose I just don't fully understand those information I found, so that's why I ask you guys for help on this Debian user mailing list.

and Dan already answered it and that is what I meant with "you have to understand what the CVE tells you":

Dan says:

The notes say:
[bookworm] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages)
In other words, there's no point in fixing it because Debian doesn't build the vulnerable binary component.
Very low priority.

so, this CVE is telling you about a bug which is not affecting Debians
zlib1g since it doesn't build minizip.

Yes. But I'm not asking for "responsibility", but a bit more explanation without blaming anyone.

you are asking us to intepret for you the content of the CVE and the
output of your scanner.

that is what your job is: finding out wether the bug is really
affecting you and if so, how to mitigate it.

best regards, Hanno Wagner
--
| Hanno Wagner | Member of the HTML Writers Guild | Rince@IRC |
| Eine gewerbliche Nutzung meiner Email-Adressen ist nicht gestattet! |
| 74 a3 53 cc 0b 19 - we did it! | Generation @ |
#"Also, ich stelle mir gerade vor, wie Kristian sich wundert. Ah, sieht gut
# aus. Steht Dir..." -- Marit Hansen telefoniert

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 29.01.2025 3:35 PM, Hanno 'Rince' Wagner wrote:

The notes say:
[bookworm] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages)
In other words, there's no point in fixing it because Debian doesn't build the vulnerable binary component.
Very low priority.

so, this CVE is telling you about a bug which is not affecting Debians
zlib1g since it doesn't build minizip.

I can still find "minizip" binary in bookworm which depends on "zlib1g".
So what does it mean that "it doesn't build minizip"?

Thanks for trying and patience :-)

that is what your job is: finding out wether the bug is really
affecting you and if so, how to mitigate it.

So, if I use "minizip" or any other package based on vulnerable "zlib1g"
in bookworm, that may be a security risk, right?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jan 29, 2025 at 04:15:16PM +0100, Rafał Lichwała wrote:

But still don;t understand "Debian itself does *not* build the affected
component" as I can find "minizip" (and maybe other) package based on that
vulnerable library - see my previous post above as Re- to Hanno.

You are mistaken here. I think my other email elsewhere in this thread explaining the source and status of the minizip package you are seeing
answers this precisely.

Anyway thank you for trying to explain me things that are not obvious to
me.

No worries. We are all here to help and learn.

Regards,

-Roberto

--
Roberto C. Sánchez

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format.
On 29.01.2025 3:30 PM, Roberto C. Sánchez wrote:

On Wed, Jan 29, 2025 at 03:22:02PM +0100, Rafał Lichwała wrote:

On 29.01.2025 2:43 PM, Dan Ritter wrote:

CVSS are often bogus.

Hmmm... I'm not sure what you mean. All security announcements in DSAs are >> referring to CVSS, so... what's the source of such opinion?


Most recently: [1]https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/

Did you actually read and understand the entire article?

Read - yes. Understand - I think so :-)

A blog by the author of cURL. I would submit that his opinion is
extremely relevant, if for no other reason that there is hardly a more important/commonly used piece of network software out there.

Yes, I'm also a curl user on a daily basis. That was not my intention to disregard the author, blog or its content.

Do we (debians) have some better
alternatives?

Yes, you read the CVE, you look at how the CVSS score was derived, you
adjust as need for your specific use case, and then you make a decision
based on that.

Are there plans to switch to other solution? Or maybe just discussion
about such switch?

Many alternatives are under discussion, but the industry is largely
driven by people who have a vested interested in making every
vulnerability seem as critical as possible. Then they can sell security scanning and remediation solutions for a lot of money. If every
vulnerability was basically "this might be a problem for 0.1% of users
and a minor problem at that" then they would have a hard time selling
their products and services.

Thank you for sharing this knowledge.

What is happening here is that Debian tracks this CVE as affecting its
zlib package because in theory someone could take the source of zlib and modify it to produce the vulnerable binary. This is something that
people should know about, since taking and modifying/rebuilding Debian
source packages is rather common.

However, Debian itself does *not* build the affected component. So, it
makes no sense for Debian as a project to put limited effort into fixing
such a vulnerability.

Maybe that's the explanation I was asking for - thank you.

But still don;t understand "Debian itself does *not* build the affected component" as I can find "minizip" (and maybe other) package based on
that vulnerable library - see my previous post above as Re- to Hanno.

Anyway thank you for trying to explain me things that are not obvious to me.


<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 29.01.2025 3:30 PM, Roberto C.
Sánchez wrote:<br>
</div>
<blockquote type="cite" cite="mid:Z5o7cJCyI6osVFVx@localhost">
<pre wrap="" class="moz-quote-pre">On Wed, Jan 29, 2025 at 03:22:02PM +0100, Rafał Lichwała wrote:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre"> On 29.01.2025 2:43 PM, Dan Ritter wrote:

CVSS are often bogus.

Hmmm... I'm not sure what you mean. All security announcements in DSAs are
referring to CVSS, so... what's the source of such opinion?


Most recently: [1]<a class="moz-txt-link-freetext" href="https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/">https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/</a>

</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">Did you actually read and understand the entire article?</pre>
</blockquote>
<p>Read - yes. Understand - I think so :-)</p>
<p><span style="white-space: pre-wrap">
</span></p>
<blockquote type="cite" cite="mid:Z5o7cJCyI6osVFVx@localhost">
<pre wrap="" class="moz-quote-pre">A blog by the author of cURL. I would submit that his opinion is
extremely relevant, if for no other reason that there is hardly a more important/commonly used piece of network software out there.</pre>
</blockquote>
<p>Yes, I'm also a curl user on a daily basis. That was not my
intention to disregard the author, blog or its content.</p>
<p><span style="white-space: pre-wrap">
</span></p>
<blockquote type="cite" cite="mid:Z5o7cJCyI6osVFVx@localhost">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">Do we (debians) have some better
alternatives?

</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">Yes, you read the CVE, you look at how the CVSS score was derived, you
adjust as need for your specific use case, and then you make a decision
based on that.
</pre>
</blockquote>
<blockquote type="cite" cite="mid:Z5o7cJCyI6osVFVx@localhost">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre"> Are there plans to switch to other solution? Or maybe just discussion
about such switch?

</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">Many alternatives are under discussion, but the industry is largely
driven by people who have a vested interested in making every
vulnerability seem as critical as possible. Then they can sell security scanning and remediation solutions for a lot of money. If every
vulnerability was basically "this might be a problem for 0.1% of users
and a minor problem at that" then they would have a hard time selling
their products and services.</pre>
</blockquote>
<p>Thank you for sharing this knowledge.</p>
<p><span style="white-space: pre-wrap">
</span></p>
<blockquote type="cite" cite="mid:Z5o7cJCyI6osVFVx@localhost">
<pre wrap="" class="moz-quote-pre">What is happening here is that Debian tracks this CVE as affecting its
zlib package because in theory someone could take the source of zlib and
modify it to produce the vulnerable binary. This is something that
people should know about, since taking and modifying/rebuilding Debian
source packages is rather common.

However, Debian itself does *not* build the affected component. So, it
makes no sense for Debian as a project to put limited effort into fixing
such a vulnerability.</pre>
</blockquote>
Maybe that's the explanation I was asking for - thank you.<br>
<p>But still don;t understand "Debian itself does *not* build the
affected component" as I can find "minizip" (and maybe other)
package based on that vulnerable library - see my previous post
above as Re- to Hanno.</p>
<p>Anyway thank you for trying to explain me things that are not
obvious to me.</p>
<br>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 29.01.2025 4:16 PM, Roberto C. Sánchez wrote:

Yes, it still means that. The minizip binary package you are seeing
comes from a different source package, also called minizip:

https://packages.debian.org/source/bookworm/minizip

Aha! Got it :-)

And there are no binary components in Debian based on vulnerable zlib1g
library in bookworm?

But I have to be aware of this if I want to build some package by myself
which depends on zlib1g, right?

Thank you Roberto!

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

rafal@siliconet.pl wrote:

On 29.01.2025 4:16 PM, Roberto C. Sánchez wrote:

Yes, it still means that. The minizip binary package you are seeing
comes from a different source package, also called minizip:

https://packages.debian.org/source/bookworm/minizip

Aha! Got it :-)

And there are no binary components in Debian based on vulnerable zlib1g >library in bookworm?

But I have to be aware of this if I want to build some package by myself >which depends on zlib1g, right?

Not at all. The bug is in minizip, an example/contrib program shipped
in the zlib source package. It is not part of the library *in any way*.

--
Steve McIntyre, Cambridge, UK. steve@einval.com Can't keep my eyes from the circling sky,
Tongue-tied & twisted, Just an earth-bound misfit, I...

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)