Hi! > > > And yes, many bugs at this level (turns out about 25% of all stable > > > commits) match that definition, which is fine. If you have a problem > > > with this, please take it up with cve.org and their rules, but don't go > > > making stuff up please. > > > > You are assigning CVE for any bug. No, it is not fine, and while CVE > > rules may permit you to do that, it is unhelpful, because the CVE feed > > became useless. > > Their rules _REQUIRE_ us to do this. Please realize this. If you said that limited manpower makes you do this, that would be something to consider. Can you quote those rules? I'd expect vulnerability description to be in english, not part of english text and part copy/paste from changelog. I'd also expect vulnerability description ... to ... well, describe the vulnerability. While changelogs describe fix being made, not the vulnerability. Some even explain why the bug being fixed is not vulnerability at all, like this one. (Not even bug, to be exact. It is workaround for static checker). I don't believe the rules are solely responsible for this. > > (And yes, some people are trying to mitigate damage you are doing by > > disputing worst offenders, and process shows that quite often CVEs get > > assigned when they should not have been.) > > Mistakes happen, we revoke them when asked, that's all we can do and > it's worlds better than before when you could not revoke anything and > anyone could, and would, assign random CVEs for the kernel with no way > to change that. Yes, way too many mistakes happen. And no, it is not an improvement over previous situation. Best regards, Pavel https://www.cve.org/CVERecord?id=CVE-2023-52472 Published: 2024-02-25 Updated: 2024-05-29 Title: Crypto: Rsa - Add A Check For Allocation Failure Description In the Linux kernel, the following vulnerability has been resolved: crypto: rsa - add a check for allocation failure Static checkers insist that the mpi_alloc() allocation can fail so add a check to prevent a NULL dereference. Small allocations like this can't actually fail in current kernels, but adding a check is very simple and makes the static checkers happy. -- DENX Software Engineering GmbH, Managing Director: Erika Unter HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Attachment:
signature.asc
Description: PGP signature
