Viewing CVEs For Your Active Guix Profile And System

Someone in #guix IRC gave me this helpful command for listing CVEs for your active Guix profile and system:

guix lint -c cve $(guix package -p ~/.guix-profile -p /run/current-system/profile -I | cut -f1)

Things were a little more complicated for me because I use inferiors, so some installed packages are not in the current guix pull. I had to add some grep calls to exclude those packages from the list:

christopher@theoden ~$ guix lint -c cve $(guix package -p ~/.guix-profile -p /run/current-system/profile -I | grep -v qucs | grep -v linphoneqt | cut -f1)
gnu/packages/admin.scm:1932:2: wpa-supplicant@2.9: probably vulnerable to CVE-2019-16275
gnu/packages/avahi.scm:38:2: avahi@0.8: probably vulnerable to CVE-2021-26720, CVE-2021-3468
gnu/packages/base.scm:180:2: tar@1.32: probably vulnerable to CVE-2021-20193, CVE-2021-32803, CVE-2021-32804
gnu/packages/base.scm:238:2: patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638, CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-2018-6952
gnu/packages/admin.scm:803:2: shadow@4.8.1: probably vulnerable to CVE-2019-19882
gnu/packages/wget.scm:46:2: wget@1.20.3: probably vulnerable to CVE-2021-31879
gnu/packages/databases.scm:1289:2: recutils@1.8: probably vulnerable to CVE-2019-11637, CVE-2019-11638, CVE-2019-11639, CVE-2019-11640, CVE-2019-6455, CVE-2019-6456, CVE-2019-6457, CVE-2019-6458, CVE-2019-6459, CVE-2019-6460
gnu/packages/gnome.scm:10753:2: evolution@3.34.2: probably vulnerable to CVE-2021-3349
gnu/packages/dns.scm:318:2: bind@9.16.16: probably vulnerable to CVE-2019-6470
gnu/packages/compression.scm:1692:2: zip@3.0: probably vulnerable to CVE-2018-13410
gnu/packages/compression.scm:1796:2: unzip@6.0: probably vulnerable to CVE-2019-13232
gnu/packages/rsync.scm:73:2: rsync@3.2.3: probably vulnerable to CVE-2020-14387
gnu/packages/virtualization.scm:144:2: qemu@6.0.0: probably vulnerable to CVE-2021-20255, CVE-2021-3507, CVE-2021-3527, CVE-2021-3544, CVE-2021-3545, CVE-2021-3546, CVE-2021-3682, CVE-2020-35503
gnu/packages/python.scm:108:2: python2@2.7.17: probably vulnerable to CVE-2021-23336, CVE-2021-3426, CVE-2020-8492, CVE-2019-18348, CVE-2019-20907, CVE-2019-9674
gnu/packages/python.scm:366:2: python@3.8.2: probably vulnerable to CVE-2021-23336, CVE-2021-29921, CVE-2021-3426, CVE-2020-14422, CVE-2020-27619, CVE-2019-18348
gnu/packages/tls.scm:495:2: openssl@1.1.1l: probably vulnerable to CVE-2018-16395

Most of these are Medium level CVEs. It looks like a lot of vulnerabilities, but things are not so clear when you start actually reading the CVEs. Many of them have notes similar to "this CVE has been modified and is awaiting re-analysis" or "it is highly unlikely that this vulnerability would ever be exposed in any real use of the application" or "third parties dispute the significance of this issue". The CVE shown attached to openssl, at a quick glance, appears to be more of a vulnerability in the Ruby module that uses openssl.

Comments

Alaskalinuxuser, 2021-09-02

Yes, I find one must carefully read the CVEs before blindly taking action when I work with Android kernels.