How should one report small vulnerabilities in individual modules?

Hi, I think I spotted a small vulnerability while reading through a module - it seems very minor and unlikely to be exploited in practice, but it’s there and I’d like to report and fix it (if it’s even actually a problem, having a second pair of eyes would be nice).

I imagine there are probably tons of these small vulnerabilities, some seem to even just be reported publicly (e.g. #121293, which actually seems relatively major) without fixes. The security policy doesn’t give much guidance for small nits like these and it seems overkill to email some of the most busy people in the community with this kind of thing.

At this point I was tempted to just forget I ever saw anything and move on; Instead I figure it’s useful to raise this here - what should someone in this situation do, and can we elaborate on the security policy a bit to give more guidance to potential contributors?

2 Likes

Reporting something full-disclosure is always better than not reporting something because a more involved disclosure would take too much time.

So definitely file a nixpkgs issue in all cases!

It will allow others to judge the severity for themselves – an issue might be minor for one user, and major for another. It will also allow you and others to easily communicate
who does the fix, and whether progress is made.

Further:

I think reporting issues confidentially makes sense for big, easily exploitable issues like unauthenticated remote code execution, and so on.

For “small nits”, a plain issue with the security label is best.

2 Likes

Speaking of public ways, that matrix room seems quite active, too.

Oh and if the module has a maintainer, that might be a good person for non-public disclosure, though even here I wouldn’t give them too much time, probably a week before publishing at most. (And one can commonly encounter people marked as maintainers that aren’t active anymore and don’t react.)

I raised NixOS modules: Secrets provided in arguments are exposed to unprivileged users · Issue #156400 · NixOS/nixpkgs · GitHub, I think it’s very similar to the chmod issue after all. I didn’t realize how common it actually was. Sadly I lack the permission to label my own issues, I assume you both would have such permissions? If so, could I ask for a kind relabel? :slight_smile:

I believe adding an addendum to the security policy to codify what @nh2 explains would take an RFC?

1 Like

Great writeup, and also great job on the Gitea fix!