Hi, On Sun, Jan 14, 2024 at 05:48:54PM +0100, Salvatore Bonaccorso wrote: > Hi, > > On Sun, Jan 14, 2024 at 04:41:00PM +0000, Bastien Roucari?s wrote: > > On Sun, 31 Dec 2023 07:14:26 +0100 Salvatore Bonaccorso <car...@debian.org> > > wrote: > > Hi Guilhem, hi Moritz, > > > Hi Guilhem, hi Moritz, > > > > > > On Sat, Dec 30, 2023 at 11:26:02PM +0100, Guilhem Moulin wrote: > > > > On Sat, 30 Dec 2023 at 21:02:16 +0100, Felix Geyer wrote: > > > > > There are some minor changes staged in the salsa git repo. It would > > > > > be good > > > > > to include them as well. Feel free to push the patch to git and > > > > > upload. > > > > > Alternatively a merge request works as well of course. > > > > > > > > Thanks for the fast response! Tagged and uploaded. > > > > > > > > Security team, if you agree with my assessment that CVE-2023-40462 is a > > > > duplicate of CVE-2023-34194 (but for a separate project that embeds > > > > libxml) and that CVE-2023-40458 is a duplicate of CVE-2021-42260 (but > > > > for a separate project that embeds libxml), I can propose debdiffs for > > > > bullseye and bookworm. > > > > > > I think the former is correct but still bit biased. We initially had > > > exactly CVE-2023-40462 as NFU and CVE-2023-34194 for tinyxml. I have > > > now commmited > > > https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e507c932b999df48f808969c00f07a638e3357b > > > hich does match my understanding for this doubled CVE assignment. The > > > document is actually not very very clear. It still metnions > > > CVE-2023-40462 but does not consistently say "TinyXML as used in". > > > Still hope we can agree the above matches our all udnerstanding. > > > Moritz given you updated back then the entry from NFU and tinyxml, if > > > you still strongly disagree I will revert the above, but I tried to > > > explain my reasoning in the commit message. > > > > > > Now for CVE-2023-40458 I'm not sure. Looking back at the references > > > for CVE-2021-42260 and the issue report at > > > https://sourceforge.net/p/tinyxml/bugs/141/ this sensibly match the > > > description for CVE-2023-40458, but will want to see if Moritz has an > > > additional input here. > > > > > > If this is the case we either have the otpion to mark it really as > > > duplicate (and request a reject from MITRE) or it is again just a > > > ALEOS issue "... tinyxml as used in". Again the table here is not very > > > clear in the report, for the CVE-2023-34194 and CVE-2023-40462 there > > > were explicitly listed the two CVEs with brackeds including the > > > product in the the table, but this is not the case for CVE-2023-40458. > > > > > > Moritz? > > > > Any news of this triagging ? > > I contacted the involved CNA and they are investigting if that needs > to be considered a dupliate (for CVE-2023-40458 and CVE-2021-42260). > > CVE-2023-40462 was already updated.
So CVE-2023-40458 is to be consideres specific to ALEOS. The reason is, while the underlying vulnerability is the same as CVE-2021-42260 Sierra Wireless CNA choosed to register a unique CVE as the ALEOS source code contained code taken from TinyXML but did not contain the complete TinyXML source. The fixing of the vulnerability reflects the fix in TinyXML (as per its CVE), but it was not possible in the Sirerra Wireless product to address the vulnerability by directly taking the TinyXML code. Regards, Salvatore
