Wrong unaffected in CVE

[pinkforest]

Hi @asomers

Re old CVE:

RustSec original thread(s) - these are fine it's just CVE that needs a minor fix:

• nix::unistd::getgrouplist buffer overflow rustsec/advisory-db#1060
• Memory unsafety in nix::unistd::getgrouplist #1541

Expected Affected / Patched Matrix

It should be across CVE, GHSA and RustSec databases:

Affected versions	Patched versions
>= 0.16.0, < 0.20.2	0.20.2
>= 0.21.0, < 0.21.2	0.21.2
>= 0.22.0, < 0.22.2	0.22.2

Problem

It seems that the nist CVE has got wrong unaffected for the 0.20 series so basically anything below 0.20.0 is seemingly affected

Dependabot is screaming at me if using old 0.13.0 version which is supposed to be unaffected

Dependabot via GHSA uses both CVE and GHSA advisories held in GHSA

• CVE incorrect: CVE-2021-45707
• CVE relayed to GHSA incorrect: GHSA-76w9-p8mg-j927
• GHSA derived from RustSec correct: GHSA-wgrg-5h56-jg27

Fix

Needs ot be fixed so < 0.16.0 are unaffected per RUSTSEC / GHSA non-CVE derived:

• CVE-2021-45707 nist/nvd origin and;
• GHSA synced CVE-2021-45707

[asomers]

Are you saying that there's a syntax error in the CVE? If so it needs to be fixed in rustsec/advisory-db , not in Nix. You should raise an issue there.

[pinkforest]

Yeah well I'm RustSec maintainer. The CVE usually is raised by the software maintainer so I wanted to check on that ..

(The CVE is nist/nvd thing which we don't control. I am not sure who put the information to nist/nvd CVE database which is different to RustSec where we have it correct)

I take it that the vendor (you) were not involved in raising the CVE so I have submitted correction to MITRE. Thanks.