[GHSA-hvh4-5qr6-3v7r] Observable Timing Discrepancy in pypqc

[JamesTheAwesomeDude]

Updates

• Affected products

Comments

1. This only affects the Mac OS version of the package.
2. No fix is released yet, and package version 0.0.6.X is not receiving security updates as 0.0.7.X is a non-breaking upgrade. Whoever filed this as "fixed in versions >= 0.0.6.2" did so wrongly, unless they have some information I'm not privy to. The latest release, 0.0.7, is also affected.

[github]

Hi there @JamesTheAwesomeDude! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[JamesTheAwesomeDude]

also, I'm not sure why CWE-733 was removed from the global version of this advisory as it's the cause of the vulnerability

[shelbyc]

👋 Hi @JamesTheAwesomeDude, I'll respond to each of your comments one by one:

This only affects the Mac OS version of the package.

Does this mean that the PyPI package pypqc is unaffected and therefore alerts should not be generated? If the PyPI package pypqc is affected but only when used on MacOS, unfortunately there is no way to tailor alerts to only users of MacOS.

No fix is released yet, and package version 0.0.6.X is not receiving security updates as 0.0.7.X is a non-breaking upgrade. Whoever filed this as "fixed in versions >= 0.0.6.2" did so wrongly, unless they have some information I'm not privy to. The latest release, 0.0.7, is also affected.

I don't see anywhere in the JSON for GHSA-hvh4-5qr6-3v7r as fixed, the way GHSA-m87m-mmvp-v9qm's JSON has an entry for fixed with 4.6.3 under it.

What "last_affected": "0.0.6.2" means is that 0.0.6.2 is the most recent version known to contain the vulnerability. We generally avoid having open-ended vulnerable version ranges with only lower bounds, e.g. >= 0.0.4, for advisories for software that is non-malicious in case the vulnerability is patched, to prevent users of patched versions from receiving unnecessary alerts. If a fixed version is published, are you comfortable with users receiving unnecessary alerts between when the fixed version is published and when the global advisory can be updated? An update made to the repository advisory will not automatically populate to the global advisory and will still need to go through human review.

also, I'm not sure why CWE-733 was removed from the global version of this advisory as it's the cause of the vulnerability

There's a bug that keeps some data from the repository advisory from automatically being added from the repository advisory to the global advisory. CWE-733 wasn't removed -- it just didn't get added automatically, but we can still add it manually. 🙂 I can add CWE-733 and CWE-385 manually if you would like.

[JamesTheAwesomeDude]

If the PyPI package pypqc is affected but only when used on MacOS

Unfortunately, that is exactly the case. https://pypi.org/project/pypqc/0.0.6.2/#copy-hash-modal-83fd8ce7-5b0b-40ce-9261-11ffcbf52445

If a fixed version is published, are you comfortable with users receiving unnecessary alerts between when the fixed version is published and when the global advisory can be updated?

Given the above understanding, then the closed-ended version as originally filed by GitHub is the way to go and you can disregard this pull request. 👍

There's a bug … I can add CWE-733 and CWE-385 manually if you would like.

That would be great; thanks.

[shelbyc]

That would be great; thanks.

🙂 OK! I just added CWE-733 and CWE-385 to the advisory manually.

I also copied CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:U/RC:C that you provided in the description of the repository advisory to the CVSS field of the global advisory to help readers see your severity assessment more easily. 👍