Re: c-ares, CVE-2023-31147, CVE-2023-31124

[Moritz Muehlenhoff <jmm@inutil.org>]

On Fri, Jun 23, 2023 at 06:48:23AM +0200, Anton Gladky wrote:
> Hi,
> 
> two CVEs might be irrelevant for Debian systems. Can they be
> tagged as "unaffected"? Or we have some systems, where
> /dev/urandom is not existing?

They are already marked as non-issues:

CVE-2023-31124 (c-ares is an asynchronous resolver library. When cross-compiling c-are ...)
        - c-ares <unfixed> (unimportant)
        NOTE: No impact on binaries shipped by Debian

CVE-2023-31147 (c-ares is an asynchronous resolver library. When /dev/urandom or RtlGe ...)                                                                                                                                                        - c-ares <unfixed> (unimportant)                                                                                                                                                                                                           NOTE: Any Debian system/port provides /dev/urandom      

But in fact the view in the Debian security is a little misleading, given
that it displays "vulnerable" all over the place, e.g.
https://security-tracker.debian.org/tracker/CVE-2023-31147

It would be nice if that "unimportant" issues it would instead display "non issue/no impact"
instead of "vulnerable.

Cheers,
        Moritz