Re: CVE-2023-43628?

[Greg Troxel]

Miroslav Lichvar <mlichvar@redhat.com> writes:

> There is a report of a security vulnerability in gpsd:
>
> https://talosintelligence.com/vulnerability_reports/TALOS-2023-1860
>
> The report says 3.25.1~dev. I don't see a 3.25.1 release and the 3.25
> code seems very different. Does anyone know why a CVE was assigned for
> this?

My impression is that yes, people like to assign CVEs.

This is a low-quality report because it uses an identifier that does not
reference a specific version, when surely they testeed a particular git
commit which could have been identified.  They also failed to identify
the git commit that was fixed.  Reading the logs, which of course anyone
can do, it looks like

  3e5c6c28c422102dd453e31912e1e79d1f7ff7f2

> If this doesn't impact an actual release, could you please dispute it
> with MITRE?

Does MITRE have a policy of only assigning CVEs for releases?  That's an
interesting question, but so many people these days think it is ok not
to have releases, so that would be an odd policy.  A hybrid policy would
have to sort projects into "sufficiently healthy release process wise
that users almost always should run releases" an "not healthy so it is
reasonable to run not a release", and that's very complicated and hard
to do objectively.

If there is such a policy I would like to see a reference.

In other projects, I have seen maintainers decline to have anything to
do with the CVE process itself because it has been at times
unreasonable.

If anything, the proper complaint is that the CVE process should not
allow version identifiers that do not identify a specific version.

Personally, I don't particularly care what's in the CVE datbase.

A meta question: are you writing as an individual gpsd user, or in your
capacity as a Red Hat employee?