Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list

[Matthew Fernandez <matthew.fernandez () gmail com>]

On 1/27/24 08:53, Alan Coopersmith wrote:
> Unfortunately, many of the email titles are misleading as they represent
> bugs other than NULL pointer dereferences.  For instance,
> "NULL pointer dereference in __glXGetDrawableAttribute() of Mesa" from
> https://seclists.org/fulldisclosure/2024/Jan/50 points to
> https://gitlab.freedesktop.org/mesa/mesa/-/issues/9857 which is an
> out-of-bounds read that would segfault long before it could cause the
> pointer to wrap around to a NULL value.

Most fields of the Graphviz issue are also incorrect. I will reply to 
that thread clarifying them.

> While I can't speak for all the projects involved, I can speak for the
> X.Org maintainers & security team, and I can say that we were not
> consulted or informed about this CVE filing - if I wasn't on the FD
> mailing list, I wouldn't even know it had happened.  The CNA responsible
> has not yet published the CVE to the CVE database yet, so we can't yet
> file a dispute, but once they do, I plan to request that they withdraw
> CVE-2023-45916 for xedit, as there is no security boundary crossed here
> and the bug doesn't allow someone to do anything they otherwise couldn't.

We (the Graphviz maintainers) were also not consulted/informed. Though 
we do not plan to contest the CVE.