Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

c-ares, CVE-2023-31147, CVE-2023-31124

2 views
Skip to first unread message

Anton Gladky

unread,
Jun 23, 2023, 12:50:04 AM6/23/23
to
Hi,

two CVEs might be irrelevant for Debian systems. Can they be
tagged as "unaffected"? Or we have some systems, where
/dev/urandom is not existing?

Thanks

Anton

Moritz Muehlenhoff

unread,
Jun 23, 2023, 4:30:04 AM6/23/23
to
They are already marked as non-issues:

CVE-2023-31124 (c-ares is an asynchronous resolver library. When cross-compiling c-are ...)
- c-ares <unfixed> (unimportant)
NOTE: No impact on binaries shipped by Debian

CVE-2023-31147 (c-ares is an asynchronous resolver library. When /dev/urandom or RtlGe ...) - c-ares <unfixed> (unimportant) NOTE: Any Debian system/port provides /dev/urandom

But in fact the view in the Debian security is a little misleading, given
that it displays "vulnerable" all over the place, e.g.
https://security-tracker.debian.org/tracker/CVE-2023-31147

It would be nice if that "unimportant" issues it would instead display "non issue/no impact"
instead of "vulnerable.

Cheers,
Moritz

Ola Lundqvist

unread,
Jun 23, 2023, 3:10:03 PM6/23/23
to
Hi Anton, all

Well even if there are some systems affected I must say that if
someone have removed urandom the behavior described is expected. I
mean /dev/urandom is there for a reason. And yes there are better
functions than rand() but I can hardly see this as a vulnerability. Or
well it is, but it is the kind of vulnerability when you remove the
device that provide randomness in the system.

I would have marked them as "minor issue".

Cheers

// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
| o...@inguza.com op...@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------

Anton Gladky

unread,
Jun 23, 2023, 4:10:03 PM6/23/23
to
Thank you all for your replies!

@Moritz, could you please create an issue with a
the possible proposal, how it should look like?

Best regards

Anton

Moritz Mühlenhoff

unread,
Jun 27, 2023, 2:50:04 PM6/27/23
to
Am Fri, Jun 23, 2023 at 09:59:45PM +0200 schrieb Anton Gladky:
> Thank you all for your replies!
>
> @Moritz, could you please create an issue with a
> the possible proposal, how it should look like?

Sure, filed as #1039606

Thanks,
Moritz
0 new messages