On Tue, Mar 11, 2025 at 10:42:41AM +1100, Dave Chinner wrote: > Greg, you have the ability to issue a CVE that will require > downstream distros to fix userspace-based vulnerabilities if they > want various certifications. You have the power to force downstream > distros to -change their security model policies- for the wider > good. > > We could knock out this whole class of vulnerability in one CVE: > issue a CVE considering the auto-mounting of untrusted filesystem > images as a *critical system vulnerability*. This can only be solved > by changing the distro policies and implementations that allow this > dangerous behaviour to persist. I wish we could do that, but remember, we can not tell people how to use Linux. We have no "control" over that at all. All we can do is point out "here is a potential vulnerability, it might be applicable to you, or you might not, depending on your use case, it's up to you to figure it out". And we do that by issuing CVEs. Heck, if we could dictate use, I would issue a "stop using panic on warn you fools!" CVE right now which would instantly get rid of a huge percentage of all kernel CVEs out there. Smart users of Linux do disable that, and so they are not vulnerable to those at all. Remember, we issue on average, 11-13 CVEs a day, here's our most recent numbers: === CVEs Published in Last 6 Months === October 2024: 427 CVEs November 2024: 280 CVEs December 2024: 358 CVEs January 2025: 234 CVEs February 2025: 929 CVEs March 2025: 56 CVEs === Overall Averages === Average CVEs per month: 415.99 Average CVEs per week: 95.64 Average CVEs per day: 13.66 So don't get all worried about individual CVEs, unless you all think they are not valid at all, which we are glad to revoke. > At worst, this makes the reason you give for filesystem corruption > issues being considered CVE worthy go away completely. Filesystem corruption or data loss is not considered a vulnerability by cve.org, so we do not track them at this point in time. However other group's requirements might require this in the future, so this might change (i.e. the CRA law in Europe.) thanks, greg k-h
