On Fri, Dec 22, 2023 at 10:28:42AM +0100, Samuel Thibault wrote:
> Control: severity -1 wishlist
>
> Hello,
>
> Moritz Mühlenhoff, le ven. 22 déc. 2023 10:03:28 +0100, a ecrit:
> > CVE-2023-49287[0]:
> > | TinyDir is a lightweight C directory and file reader. Buffer
> > | overflows in the `tinydir_file_open()` function. This vulnerability
> > | has been patched in version 1.2.6.
> >
> > https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf
> > https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d
> > https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt
> >
> > falcosecurity-libs embeds a copy of tinydir, if it's not used to
> > open files from potentially untrusted paths, feel free to downgrade.
>
> The tinydir_file_open function is not used at all indeed.
> (and we don't ship the only lwip app that includes tinydir.h anyway)
Thanks, I'll make a note in the Debian security, let's just close
the bug, then I'd say, no need to keep it open for a random change
not affecting the Debian build.
Cheers,
Moritz
