mirror of
https://github.com/freedomofpress/dangerzone.git
synced 2025-04-28 18:02:38 +02:00
ci: Ignore two CVEs from our security scans
Ignore two CVEs from our security scans, which were triggered when scanning the Dangerzone container image for v0.4.1. These CVEs do not affect out users, and we offer an explanation why.
This commit is contained in:
Alex Pyrgiotis
parent
75be9b5c00
commit
8b2c5bba75
1 changed files with 43 additions and 0 deletions
43
.grype.yaml
Normal file
43
.grype.yaml
Normal file
|
|
@ -0,0 +1,43 @@
|
|||
# This configuration file will be used to track CVEs that we can ignore for the
|
||||
# latest release of Dangerzone, and offer our analysis.
|
||||
|
||||
ignore:
|
||||
# CVE-2023-1255
|
||||
# =============
|
||||
#
|
||||
# NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-1255
|
||||
# Verdict: Dangerzone is not affected. The rationale is the following:
|
||||
#
|
||||
# 1. This CVE affects software that performs encryption, typically disk
|
||||
# encryption, which is not the case for Dangerzone.
|
||||
# Also, the worst outcome
|
||||
# 2. The NVD entry reports the severity of this CVE as "Medium", which is
|
||||
# yet another sign that we can ignore it.
|
||||
# 3. The worst outcome is denial of service, which is acceptable in our
|
||||
# case.
|
||||
- vulnerability: CVE-2023-1255
|
||||
|
||||
# CVE-2023-28879
|
||||
# ==============
|
||||
#
|
||||
# NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-28879
|
||||
# Write up: https://offsec.almond.consulting/ghostscript-cve-2023-28879.html
|
||||
# Verdict: Dangerzone is not affected. The rationale is the following:
|
||||
#
|
||||
# 1. This CVE affects the PostScript interpreter of Ghostscript (i.e., .ps
|
||||
# files). This is evident from the write up, and the PoCs in GitHub:
|
||||
# https://github.com/AlmondOffSec/PoCs/tree/master/Ghostscript_rce
|
||||
# 2. Dangerzone does not accept .ps files. The GUI does not allow users to
|
||||
# select them and, even if you force them through the CLI, Dangerone will
|
||||
# report that "The document format is not supported".
|
||||
# 3. Depending on the document type, the first conversion command will
|
||||
# either be LibreOffice, GraphicsMagick, or pdftoppm. None of these
|
||||
# commands call a Ghostscript binary
|
||||
# (see here for the list of Ghostscript binaries:
|
||||
# https://pkgs.alpinelinux.org/contents?branch=edge&name=ghostscript&arch=x86&repo=main)
|
||||
# 4. We tested out removing the GhostScript package from the container
|
||||
# image. We verified that the only place where a Ghostscript binary is
|
||||
# used is when compressing the final PDF (ps2pdf). The compression takes
|
||||
# place after the document has been converted to pixels, so the attacker
|
||||
# has no control over it.
|
||||
- vulnerability: CVE-2023-28879
|
||||
Loading…
Reference in a new issue