Hi, On Sun, Jan 14, 2024 at 04:41:00PM +0000, Bastien Roucariès wrote: > On Sun, 31 Dec 2023 07:14:26 +0100 Salvatore Bonaccorso <car...@debian.org> > wrote: > Hi Guilhem, hi Moritz, > > Hi Guilhem, hi Moritz, > > > > On Sat, Dec 30, 2023 at 11:26:02PM +0100, Guilhem Moulin wrote: > > > On Sat, 30 Dec 2023 at 21:02:16 +0100, Felix Geyer wrote: > > > > There are some minor changes staged in the salsa git repo. It would be > > > > good > > > > to include them as well. Feel free to push the patch to git and upload. > > > > Alternatively a merge request works as well of course. > > > > > > Thanks for the fast response! Tagged and uploaded. > > > > > > Security team, if you agree with my assessment that CVE-2023-40462 is a > > > duplicate of CVE-2023-34194 (but for a separate project that embeds > > > libxml) and that CVE-2023-40458 is a duplicate of CVE-2021-42260 (but > > > for a separate project that embeds libxml), I can propose debdiffs for > > > bullseye and bookworm. > > > > I think the former is correct but still bit biased. We initially had > > exactly CVE-2023-40462 as NFU and CVE-2023-34194 for tinyxml. I have > > now commmited > > https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e507c932b999df48f808969c00f07a638e3357b > > hich does match my understanding for this doubled CVE assignment. The > > document is actually not very very clear. It still metnions > > CVE-2023-40462 but does not consistently say "TinyXML as used in". > > Still hope we can agree the above matches our all udnerstanding. > > Moritz given you updated back then the entry from NFU and tinyxml, if > > you still strongly disagree I will revert the above, but I tried to > > explain my reasoning in the commit message. > > > > Now for CVE-2023-40458 I'm not sure. Looking back at the references > > for CVE-2021-42260 and the issue report at > > https://sourceforge.net/p/tinyxml/bugs/141/ this sensibly match the > > description for CVE-2023-40458, but will want to see if Moritz has an > > additional input here. > > > > If this is the case we either have the otpion to mark it really as > > duplicate (and request a reject from MITRE) or it is again just a > > ALEOS issue "... tinyxml as used in". Again the table here is not very > > clear in the report, for the CVE-2023-34194 and CVE-2023-40462 there > > were explicitly listed the two CVEs with brackeds including the > > product in the the table, but this is not the case for CVE-2023-40458. > > > > Moritz? > > Any news of this triagging ?
I contacted the involved CNA and they are investigting if that needs to be considered a dupliate (for CVE-2023-40458 and CVE-2021-42260). CVE-2023-40462 was already updated. Regards, Salvatore