[GHSA-cc4x-9vpx-cphw] The acpi_ps_complete_final_op() function in drivers/acpi...

[SaketADumbre]

Updates

• Affected products
• Source code location
• Summary

Comments
acpica/acpica#278

[darakian]

Hi @SaketADumbre. Thank you for the PRs however I think both this and #5083 are out of scope for our database
https://github.com/github/advisory-database?tab=readme-ov-file#supported-ecosystems
Maybe I'm missing something though. Is there a package that fits?

[SaketADumbre]

Hi Jon,

The 2 CVEs in question arose a few years ago due to possible attack vectors exposed from memory leaks in our ACPICA project, which can effectively be described as the industry-standard reference implementation of the ACPI Specification, which in turn is responsible for the governance of most of the interactions between HW/FW and the OS/SW. In short, something like a memory location/register in hardware can be exposed directly to the OS (say Linux) due to such reported memory leaks. As a result, I am not sure what type of package best describes such CVEs. Merging the 2 PRs help resolve those 2 vulnerabilities, according to the security research teams of the respective National Laboratories (or equivalent entities) based in South Korea and Taiwan. The PRs which I merged earlier today help ensure that no data is possibly leaked and that there is no attack surface for any possible attack to be carried out! Hope this helps answer some critical questions!

Kind regards,
Saket Dumbre

[darakian]

That's good to hear that you were able to address the data leak!

As a result, I am not sure what type of package best describes such CVEs

The purpose of our database is specifically to drive automation for things like dependabot and in order to do that we index based on packages from popular package registries. If there isn't one then I'm gonna have to close these PRs as they're out of scope

[SaketADumbre]

Ahh I see. What happens then, say in the NIST database for these CVEs? How can we make sure that they are marked as resolved?

[darakian]

Looking at https://nvd.nist.gov/vuln/detail/CVE-2017-13694 which is the CVE that corresponds to this GHSA (GHSA-cc4x-9vpx-cphw) it looks like mitre was the source. They have a contact form here
https://cveform.mitre.org/
where you can suggest changes to a CVE. I would ping them, share any PRs/issues that are relevant and ask them to add the fixed versions to the description text.

[SaketADumbre]

Thanks for the info Jon. I can do that later today or tomorrow, but that helps a lot. Appreciate the links and steps to follow! Once that is done, I can let you know so that you can go ahead and close both these GHSA PRs! Thanks!

[darakian]

Happy to help and feel free to close the PRs yourself too whenever you're ready :)

[SaketADumbre]

Sure, will do! Thanks Jon!