-
Notifications
You must be signed in to change notification settings - Fork 343
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-cc4x-9vpx-cphw] The acpi_ps_complete_final_op() function in drivers/acpi... #5082
[GHSA-cc4x-9vpx-cphw] The acpi_ps_complete_final_op() function in drivers/acpi... #5082
Conversation
Hi @SaketADumbre. Thank you for the PRs however I think both this and #5083 are out of scope for our database |
Hi Jon, The 2 CVEs in question arose a few years ago due to possible attack vectors exposed from memory leaks in our ACPICA project, which can effectively be described as the industry-standard reference implementation of the ACPI Specification, which in turn is responsible for the governance of most of the interactions between HW/FW and the OS/SW. In short, something like a memory location/register in hardware can be exposed directly to the OS (say Linux) due to such reported memory leaks. As a result, I am not sure what type of package best describes such CVEs. Merging the 2 PRs help resolve those 2 vulnerabilities, according to the security research teams of the respective National Laboratories (or equivalent entities) based in South Korea and Taiwan. The PRs which I merged earlier today help ensure that no data is possibly leaked and that there is no attack surface for any possible attack to be carried out! Hope this helps answer some critical questions! Kind regards, |
That's good to hear that you were able to address the data leak!
The purpose of our database is specifically to drive automation for things like dependabot and in order to do that we index based on packages from popular package registries. If there isn't one then I'm gonna have to close these PRs as they're out of scope |
Ahh I see. What happens then, say in the NIST database for these CVEs? How can we make sure that they are marked as resolved? |
Looking at https://nvd.nist.gov/vuln/detail/CVE-2017-13694 which is the CVE that corresponds to this GHSA (GHSA-cc4x-9vpx-cphw) it looks like mitre was the source. They have a contact form here |
Thanks for the info Jon. I can do that later today or tomorrow, but that helps a lot. Appreciate the links and steps to follow! Once that is done, I can let you know so that you can go ahead and close both these GHSA PRs! Thanks! |
Happy to help and feel free to close the PRs yourself too whenever you're ready :) |
Sure, will do! Thanks Jon! |
Updates
Comments
acpica/acpica#278