[DiabloD3]

CVEs, however, do get scored according to CVSS, and they are often extremely hostile and live in fantasy land.

CVEs also cannot be denied by projects, and are often used as an avenue of harassment towards open source projects.

I agree with the poster on that mailing list, this is not, nor should be, a CVE. At no point can you edit those files without being root.

[quacksilver]

Is that not a problem with how people are using CVEs, scoring them and attaching value to them rather than whether a CVE should be assigned itself. A CVE is simply a number and some data on a vulnerability so that the community knows they are all talking about the same issue

Even if you need to be root to edit the files, it still is a deviation from the design or reasonably expected behaviour of that interface, so is still a bug and should still get a CVE. It should either be fixed or failing that documented as 'wont fix' and on the radar of anyone building an application. Someone building the next plesk or cpanel or similar management system should at least know about filtering their input and not allowing it to get to the dangerous config file.

Re: Harassment - Can't the project release a statement saying that the bug writeup is low quality and unable to be reproduced? Anyone ignoring that without question and using it as evidence that the project is bad without proof is putting way too much value in CVEs and the fault is their own

[TheDong]

> so is still a bug and should still get a CVE

It's a bug, sure. The V in CVE is for "vulnerability", which is why people treat CVEs as more than just bugs.

If every bug got a CVE, practically every commit would get one and they'd be even less useful than they are now.

At that point, why not just use commit hashes for CVEs and get rid of the system entirely if we're going to say every bug should get a CVE?

> Re: Harassment - Can't the project release a statement saying that the bug writeup is low quality and unable to be reproduced?

If your suggested response to a human DoS is "why can't the humans just do more work and write more difficult-to-word-correctly communication", then you're not understanding the problem.

[quacksilver]

If you are wasting time wording communication then are you doing it wrong?

I imagine the response would be looking at it briefly, seeing if it looks dangerous or reproducible and getting an AI to return a templated "PoC or GTFO" response.

The mere existence of a CVE doesn't tell anyone whether a bug is valid or not, and the security reports should be handled in the same way regardless of whether one does exist. For some odd reason people have attached value to having your name logged beside CVEs, despite it not telling you anything,

[TheDong]

"human communication is easy, just have an AI say 'buzz off' and the conversation partner and other strangers will always respond respectfully, I don't know why so many people complain about lack of spoons or other social issues".

Thanks doctor, you just solved my anxiety.

I broadly agree that having templates does lower the amount of human effort and emotional labor required, but trust me, it's not a silver bullet, even hitting someone with a template takes spoons.

I don't really care that CVEs in theory are apparently entirely without meaning and created for nonexistent bugs, we're talking about the reality of how they're perceived and used.

Like, I'm saying "Issuing garbage such that 100 people have to read it and then figure out what to do is bad, we should instead have a higher bar for the initial issuing part so 1 or 2 people have to actually read it, and 100 people can save some time. We should call out issuing garbage as bad behavior to hopefully reduce it in the future".

You're apparently disagreeing with that and saying "But reading is easy, and the thing is meaningless anyway so this real harm that actually happens is totally fine. We should keep issuing as much garbage as we can, the numbers don't mean anything. It's better to make a pile of garbage and stress the entire system such that no one values or trusts it than to add any amount of vetting or criticism over creating garbage"

idk, I guess we're probably actually on the same page and you're just arguing for arguing's sake because you think you can be a pedant and be technically correct about CVEs. Tell me if I got a wrong read there and you have a more concrete point I'm missing?

[tptacek]

But that's not what happened here. These are memory corruption bugs. Probably not meaningful ones, but in the subset of bugs that are generally considered vulnerabilities.

[TheDong]

It's more complicated than that though. For security, the whole context has to be considered.

Like for example, look at the linked CVE-2025-12200, "NULL pointer dereference parsing config file"...

Please, explain a single dnsmasq setup where someone is somehow constructing a config file such that it both takes in untrusted input where this NPE is the difference between it being secure and being DoSd or insecure somehow, if you can even conjure up a plausible hypothetical way this could happen, I'd love to hear it, because this just seems so impossible to me.

This seems firmly in the realm of issuing CVEs for "post quantum crypto may not be safe from unknown alien attacks"

[ruined]

CVE-2025-1312 bash and sudo privilege escalation

sudo may be exploited to obtain full root privilege when the shell receives attacker-controlled input

to reproduce: execute this shell script and authorize sudo when prompted

[ajross]

> Is that not a problem with how people are using CVEs, scoring them and attaching value to them

Well, yes, it is. But if that's the way the market is going to game the scoring/value system it's (mis)using, then it behooves a project that wants to be successful to play the same game and push back when the scoring unfairly penalizes it.

Basically dnsmasq doesn't really have much of a choice here. Someone found a config parser bug and tried to make a big deal out of it, so someone else (which has to be dnsmasq or a defender) needs to explain why it's not a big deal.

[akerl_]

Why?

What negative thing happens to the dnsmasq project if they just don’t argue about whether or not it’s a big deal.

[ajross]

Some product decides not to use it. Someone loses a contract supporting it. Someone doesn't get a job because their work isn't favored anymore.

I think you're trying to invoke a frame where because dnsmasq is "open source" that it isn't subject to market forces or doesn't define value in a market-sensitive way. And... it is, and it does.

Free software hippies may be communists at heart but they still need to win on a capitalist battlefield.

[BobbyTables2]

It gets blurry at times though.

Imagine a router has a web/cli interface for setting the DHCP server’s domain name. At some point the users’s data is forwarded to a process exiting the root-owned file.

Hypothetically, If a vulnerability in the parsing of such from the config could be exploited from the end-user, that would certainly matter.

And these things always seem to be one step away from bugs that allow arbitrary injection into the config file…

(I’m amazed at the hot messes exposed with HTTP and SMTP regarding difference in CR/CRLF/LF handling. Proxy servers and even “git” keep screwing this up…)

[elnerd]

Just because you cannot see how a vulnerability can be exploited does not mean that others can. As you describe, people seem to assume that the only way the config file ends up on the server is «physically» editing it.

An anecdote: I have been struggling with exploiting a product that relies on MongoDb, I can replace the configuration file, but gaining RCE is not supported «functionality» in the embedded version as the __exec option came in a newer version.

A parser bug would be most welcome here.

[bawolff]

Why stop there? Imagine a situation where the user is allowed to patch the binary.