Closed raboof closed 1 year ago
Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/cbe45b19d4b97520173c48defa4c6747156d6dcf, it reports CVE-2023-41175 in libtiff.
The problem is we do not yet take into account the version range from the CVE: the CVE says the library is unaffected at 4.6.0, but we ignore this. Nix-Security-WG/nix-local-security-scanner#45
Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/cbe45b19d4b97520173c48defa4c6747156d6dcf, it reports CVE-2023-41175 in libtiff.
The problem is we do not yet take into account the version range from the CVE: the CVE says the library is unaffected at 4.6.0, but we ignore this. Nix-Security-WG/nix-local-security-scanner#45