2023-06-01 00:10:51 <jalberti> Hi! We are looking at some libtiff CVEs reported against 3.16-main, e.g. https://security.alpinelinux.org/vuln/CVE-2023-0799
2023-06-01 00:11:29 <jalberti> It is marked fixed in 3.17, but it seems also 3.16 should be considered affected?
2023-06-01 00:14:34 <jalberti> looks like the package in alpine is tiff, and the source package is libtiff, so the match is not automatic?
2023-06-01 00:14:44 <jalberti> or is this a false positive on our side?
2023-06-01 00:30:02 <psykose> it's theoretically affected yes
2023-06-01 00:30:30 <psykose> all it affects is `tiffcrop` from `tiff-tools` however so in practice nobody is affected unless they use that
2023-06-01 00:31:27 <psykose> it's one of like 9 cves on the same tool, that's not the only one
2023-06-01 01:17:29 <jalberti> yes, correct
2023-06-01 01:18:00 <jalberti> I'm surprised to see them fixed on 3.17, but not 3.16, and 3.16 not listed as affected
2023-06-01 01:18:10 <jalberti> that's the only reason I reached out
2023-06-01 01:18:23 <jalberti> Thanks for checking in ... 
2023-06-01 08:04:56 <ikke> "Alert: if you look up curl CVEs in public sources like NVD you will find they use inflated severity levels and CVSS scores. They think they know better and override our assessments. This is a systemic error that we unfortunately cannot fix. [..]" https://curl.se/docs/security.html
2023-06-01 08:05:56 <psykose> it's like that for most cves of anything
2023-06-01 08:10:18 <psykose> that said, quite hard to strike a balance in general
2023-06-01 08:15:27 <ikke> Yup, different incentives
2023-06-01 08:16:34 <ikke> Maintainers tend to downplay vulnerabilities, security vendors want to inflate them 
2023-06-01 18:10:21 <jalberti> Thank you for recent 3.16 patches for tiff! Appreciate it!
2023-06-02 06:01:40 <jhjacobs[m]> so it falls to the security guys in the field to asses the real severity level ;-)
2023-06-04 13:31:41 <jvoisin> https://lists.debian.org/debian-lts/2023/06/msg00012.html amazing.
2023-06-04 13:34:29 <ikke> What is this db5.3?
2023-06-04 13:34:46 <ikke> ah, berkley db
2023-06-04 13:34:50 <ikke> I assume
2023-06-04 18:15:43 <psykose> we do it better
2023-06-04 18:15:47 <psykose> we just don't patch it at all
2023-06-04 18:15:51 <psykose> stay winning 😎
2023-06-07 19:09:01 <jvoisin> https://oss-security.openwall.org/wiki/mailing-lists/distros Alpine isn't there. Would it like/should it to be?
2023-06-07 19:09:53 <psykose> no
2023-06-07 21:02:42 <ncopa> i think it would be good if we were
2023-06-07 21:02:56 <ncopa> nobody cared enough in the past
2023-06-07 21:05:17 <psykose> security roleplaying
2023-06-07 21:07:56 <ncopa> iirc its a place for discussing security issues before they are released to public. we get a heads up two weeks a head or so
2023-06-07 21:08:26 <ncopa> the prize is that we may need contribute help create fixes
2023-06-07 21:08:33 <psykose> that's nice for them
2023-06-07 21:08:37 <psykose> public data is more than fine
2023-06-07 21:09:32 <ncopa> it has been fine enough so far
2023-06-07 21:09:35 <ikke> Are we going to stage fixes somewhere that will not leak to the public?
2023-06-07 21:10:25 <ncopa> i think it opens for staging fixes locally, on local machine, so fix can be pushed same time as its publically released
2023-06-07 21:10:36 <ncopa> but i think we do pretty good as is tbh
2023-06-07 21:10:52 <ncopa> i *think* we are pretty fast on pushing fixes
2023-06-07 21:11:06 <psykose> as fast as is notified
2023-06-07 21:11:15 <psykose> i do 90% of it and there's nothing special about it
2023-06-07 21:11:19 <ikke> We don't require 2 weeks of testing
2023-06-07 21:11:26 <psykose> seeing it 2 weeks in advance would only be confusing since there's a secret queue
2023-06-07 21:12:09 <psykose> it's most about the actual discussion for fixes which is where any value would be
2023-06-07 21:12:27 <psykose> but that sounds more of a thing for fun for security engineers and not really 'random distro that keeps up with patches'
2023-06-07 21:12:30 <psykose> in a sense
2023-06-07 21:40:43 <ncopa> yeah
2023-06-09 10:00:37 <jvoisin> https://github.com/acmesh-official/acme.sh/issues/4659 ffs.
2023-06-09 13:19:10 <minimal> jvoisin: that Issue has gotten even more heated lol
2023-06-09 14:07:14 <ncopa> i actually don't mind if some representative from us wants to join there. I just feel I have more than enough on my plate
2023-06-15 15:36:16 <ncopa> I wonder if we should disable CONFIG_IO_URING in our kernels: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
2023-06-15 15:37:44 <psykose> that makes about as much sense as disabling half the pci drivers and every gpu driver too
2023-06-15 16:13:29 <omni> I wouldn't mind a linux-hardened though
2023-06-15 16:58:36 <jvoisin> ^
2023-06-15 19:31:59 <jhjacobs[m]> yes, a linux-hardened would be nice :)
2023-06-15 19:32:37 <jhjacobs[m]> but cant we create that ourselves? its been a few hundred years since i last made a custom linux kernel :)
2023-06-16 12:17:19 <kpcyrd> there's this: https://github.com/anthraxx/linux-hardened
2023-06-16 12:17:54 <kpcyrd> it's the source code for https://archlinux.org/packages/extra/x86_64/linux-hardened/
2023-06-16 13:24:32 <jvoisin> kpcyrd: it's a frankenkernel with a ton of oudated stuff :/
2023-06-16 13:26:06 <ncopa> the 6.1 branch seems to be fairly up-to-date
2023-06-16 15:18:59 <jhjacobs[m]> first i plan to learn alpine packaging, then i'll package my own hardened kernel :D
2023-06-16 17:07:56 <idkrn[m]> SELinux in main repos too :)
2023-06-16 17:08:25 <idkrn[m]> <jvoisin> "kpcyrd: it's a frankenkernel..." <- How
2023-06-16 18:26:57 <idkrn[m]> * In reply to @_oftc_jvoisin:matrix.org
2023-06-16 18:26:57 <idkrn[m]> How so
2023-06-16 18:26:57 <idkrn[m]> kpcyrd: it's a frankenkernel with a ton of oudated stuff :/
2023-06-16 18:32:15 <minimal> idkrn[m]: how so what? if it has "a ton of outdated stuff" then it has a ton of outdated stuff...
2023-06-16 19:23:41 <jvoisin> idkrn[m]: it has a ton of backported grsecurity stuff, some parts of grapheneos, some parts from the dead clipos project, … all done by an extra-busy person
2023-06-16 23:48:16 <idkrn[m]> <jvoisin> "idkrn: it has a ton of backporte..." <- What's the issue there?
2023-06-16 23:48:47 <idkrn[m]> How would that be any worse than the standard kernel?
2023-06-16 23:57:36 <minimal> idkrn[m]: how would a very busy 3rd party individual backporting lots of patches from multiple sources (including a "dead" project) be any worse than the standard kernel? hmm, let me think about that for a while... ;-)
2023-06-17 00:37:30 <idkrn[m]> <minimal> "idkrn: how would a very busy 3rd..." <- All the patches do is fix the kernel. You don't add attack surface with these
2023-06-17 00:38:33 <idkrn[m]> You're sarcastic but not coherent
2023-06-17 00:40:33 <sam_> because you have to check that they do the right thing still, not just apply 
2023-06-17 00:40:40 <sam_> and you're also relying on them to keep up with kernel.org releases
2023-06-17 00:46:31 <psykose> no, we are not adding linux-hardened
2023-06-17 00:46:33 <psykose> thanks for asking
2023-06-17 01:48:09 <idkrn[m]> <sam_> "and you're also relying on..." <- They are doing a pretty good job of that
2023-06-17 09:16:48 <jvoisin> psykose: why :'(
2023-06-17 09:26:12 <psykose> you said it best yourself
2023-06-17 09:26:44 <jvoisin> ah, I misunderstood, my bad
2023-06-17 09:27:02 <jvoisin> having an hardened kernel without io_uring and its friends would be nice
2023-06-17 09:27:22 <jvoisin> adding anthraxx' "linux-hardened" would be un-nice indeed
2023-06-17 09:28:09 <psykose> it sounds a lot easier to just add a sysctl tunable for it
2023-06-17 09:28:28 <psykose> kernel-but-four-kconfigs-changed sounds mostly, well...
2023-06-17 09:28:39 <psykose> that said, i am not a kernel developer :D
2023-06-17 09:29:10 <psykose> i just like opening my computer and seeing cool pixels, you know
2023-06-17 09:34:48 <jvoisin> you and I, you and I
2023-06-17 09:36:41 <omni> I was mostly thinking another kernel config for a linux-hardened in alpine
2023-06-17 09:37:20 <omni> rather than pulling in patches from here and there
2023-06-17 09:39:45 <omni> I'd be lazy and use kconfig-hardened-check
2023-06-17 09:55:01 <psykose> i just ran that and concluded it flags literally everything
2023-06-17 09:57:07 <psykose> it recommends CONFIG_SLUB_DEBUG=y lol
2023-06-17 10:21:49 <omni> ok, not that lazy, I'd use it for suggestions on what to look at to configure
2023-06-22 02:39:05 <idkrn[m]> <jvoisin> "having an hardened kernel..." <- LTS with better backports could be a good start lol
2023-06-22 02:43:55 <psykose> lts is already latest lts
2023-06-22 04:13:55 <idkrn[m]> Maybe needs a slightly bigger buffer from all the barely tested code entering the kernel
2023-06-22 04:25:58 <psykose> 'i want a kernel that is older than the latest one then has someone spend some time manually applying some patches' is not a thing
2023-06-22 04:26:04 <psykose> you are welcome to pay someone to do it though
2023-06-22 08:59:26 <JohannesJ[m]> OR, learn how to do it, and contribute :)
2023-06-22 10:15:01 <jvoisin> idkrn[m]: sounds orthogonal tbh
2023-06-22 14:19:46 <idkrn[m]> <psykose> "'i want a kernel that is older..." <- That's pretty much what LTS already is
2023-06-22 14:20:19 <psykose> yeah, it is
2023-06-22 14:20:27 <psykose> ditto to what i said
2023-06-22 14:22:26 <idkrn[m]> <psykose> "'i want a kernel that is older..." <- You just said it wasn't a thing
2023-06-22 14:22:36 <psykose> you'll understand it eventually
2023-06-22 14:28:59 <idkrn[m]> Lol
2023-06-27 15:11:41 <minimal> https://news.ycombinator.com/item?id=36489847
2023-06-27 15:11:42 <minimal> "Alpine is out of the picture for us because the guy that works on their security tracker just doesn't care, and responds half a year after filing an issue. The tracker itself is broken for over a year and the response was to basically rebuild our own package index and host our own security tracker."
2023-06-27 15:12:07 <JohannesJ[m]> heh
2023-06-27 15:15:19 <psykose> the context is https://gitlab.alpinelinux.org/ariadne/secfixes-tracker/-/issues/9#note_286872
2023-06-27 15:18:05 <jvoisin> amazing.
2023-06-27 15:18:47 <psykose> (no half a year response either)
2023-06-27 15:18:50 <psykose> classic hn comments
2023-06-27 15:20:34 <JohannesJ[m]> cookies, hmmz
2023-06-27 15:40:04 <Ariadne> the “guy”
2023-06-27 15:40:07 <Ariadne> very cool
2023-06-28 19:55:09 <Ariadne> psykose: the ridiculous part is that security tracker is an internal tool, and the secdb itself is the preferred method of data ingestion for public users :p
2023-06-28 19:58:38 <ikke> but the latter means work :P
2023-06-28 20:00:08 <ikke> Ariadne: just out of curiousity, you mentioned working on some alternative for the security tracker, is that something short-term, or more long term?
2023-06-28 20:01:09 <Ariadne> ikke: there is `wolfictl advisory discover` in wolfi, which could probably be adapted to work with alpine too.  it just needs the ability to extract the secfixes data.
2023-06-28 20:03:34 <psykose> i don't even know the difference between the tracker or the secdb
2023-06-28 20:04:02 <psykose> secdb looks easy to input
2023-06-28 20:05:07 <ikke> that's just raw data from the secfixes section
2023-06-28 20:05:29 <ikke> So it only contains information about what we say is fixed
2023-06-28 20:06:27 <ikke> secfixes tracker adds NVD information, so shows what is still vulnerable, and what is fixed due to the version not applying
2023-06-28 20:10:24 <psykose> yeah that is useless
2023-06-28 20:10:47 <ikke> what is?
2023-06-28 20:10:54 <psykose> secfixes extra nvd info
2023-06-28 20:11:01 <ikke> why is it useless?
2023-06-28 20:11:02 <psykose> scanners should get that themselves
2023-06-28 20:11:26 <psykose> not via us rehosting it
2023-06-28 20:11:40 <psykose> then overlay secdb for extra exclusions
2023-06-28 20:12:33 <ikke> Yes, but like I said, it's work, so why not scrape the secfixes tracker instead 
2023-06-28 20:12:47 <psykose> it's work indeed
2023-06-28 20:13:24 <psykose> having every distro maintain a 100% pristine copy of all of nvd and friends regurgitated for a one stop shop though is completely nonsensical
2023-06-28 20:13:33 <psykose> why everyone doesn't just shoot this dumb idea down is beyond me
2023-06-28 20:13:54 <psykose> there's more to it than just nvd+exclusions, since you also need +remaps in there
2023-06-28 20:14:00 <psykose> but rehosting the whole thing to do that is silly
2023-06-28 20:16:06 <psykose> ideally the scanners would just use nvd and friends as first input, then some distro specific thing that remaps some names or whatever, and then overlay the secdb list on top of that for things fixed by not just version constraints
2023-06-28 20:16:08 <psykose> huge ask, i know
2023-06-28 20:16:55 <psykose> that said, at least sec tracker rehosted is still better than manually inputting everything ever into secfixes:
2023-06-28 20:18:43 <ikke> yeah, would ideally get rid of all entries that are redundant now
2023-06-28 20:18:53 <ikke> but I can already see the reports comming in
2023-06-28 20:20:15 <psykose> tbh i can't think of many reports
2023-06-28 20:20:30 <psykose> i have been intentionally omitting everything that was fixed in xyz version for a while now
2023-06-28 20:20:40 <psykose> (and just verifying that security.a.o was clear)
2023-06-28 20:20:49 <psykose> nobody reported anything so i guess they don['t use purely secdb
2023-06-28 20:26:55 <Ariadne> i don't get it, grype already does all of this, as do the commercial scanners
2023-06-28 20:27:07 <Ariadne> he should just use grype
2023-06-28 20:34:59 <psykose> yeah, they do
2023-06-28 20:35:04 <psykose> i guess that's why i find it extra confusing
2023-06-29 22:07:51 <idkrn[m]> Is there a way to force apk to use https mirrors without manually editing the mirrorlist
2023-06-29 22:08:23 <idkrn[m]> * Is there a way to force apk to use https mirrors without manually checking what mirrors support https and then manually editing the repos?
2023-06-30 03:53:44 <ikke> idkrn[m]: no, apk will use exactly what's in /etc/apk/repositories
2023-06-30 03:54:39 <idkrn[m]> ikke: Sad
2023-06-30 13:35:43 <JohannesJ[m]> why is that sad?
2023-06-30 19:12:31 <idkrn[m]> <idkrn[m]> "Is there a way to force apk to..." <- Because I want to do this
2023-06-30 19:13:46 <psykose> how often do you change mirrors to random ones that you can't just check them manually
2023-06-30 19:18:33 <idkrn[m]> psykose: I mostly just want it during install I guess
2023-06-30 19:19:55 <ikke> ah, so setup-mirrors