Re: [PATCH RFC 6.6.y 00/15] Some missing CVE fixes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Oct 08, 2024 at 02:33:27PM +0200, Pavel Machek wrote:
> Hi!
> 
> > > > And yes, many bugs at this level (turns out about 25% of all stable
> > > > commits) match that definition, which is fine.  If you have a problem
> > > > with this, please take it up with cve.org and their rules, but don't go
> > > > making stuff up please.
> > > 
> > > You are assigning CVE for any bug. No, it is not fine, and while CVE
> > > rules may permit you to do that, it is unhelpful, because the CVE feed
> > > became useless.
> > 
> > Their rules _REQUIRE_ us to do this.  Please realize this.
> 
> If you said that limited manpower makes you do this, that would be
> something to consider. Can you quote those rules?

The rules are that we have to assign a CVE id to every vulnerability
that has been fixed in Linux.  The defintion of "vulnerability" is
defined by them (note, it does NOT include data loss, go figure...)

> I'd expect vulnerability description to be in english, not part of
> english text and part copy/paste from changelog. I'd also expect
> vulnerability description ... to ... well, describe the
> vulnerability. While changelogs describe fix being made, not the
> vulnerability.

If you object to _how_ we write the text, wonderful, please send us
updated texts for any/all CVE ids and we will be glad to update them.
But for now, we are taking them directly from the changelog which is
sufficient so far.

> Some even explain why the bug being fixed is not vulnerability at all,
> like this one. (Not even bug, to be exact. It is workaround for static
> checker).
> 
> I don't believe the rules are solely responsible for this.

Again, you are conflating the fact that you don't like what we
currently put in the changlog with something you said earlier that was
totally different (i.e. we were assigning cve ids for things that did
not deserve them.)

Moving the goal-posts is fun in a discussion, but not something I have
time for here, sorry.

> > > (And yes, some people are trying to mitigate damage you are doing by
> > > disputing worst offenders, and process shows that quite often CVEs get
> > > assigned when they should not have been.)
> > 
> > Mistakes happen, we revoke them when asked, that's all we can do and
> > it's worlds better than before when you could not revoke anything and
> > anyone could, and would, assign random CVEs for the kernel with no way
> > to change that.
> 
> Yes, way too many mistakes happen. And no, it is not an improvement
> over previous situation. 

Based on many discussions I have had with many companies and users over
the past months, they all seem to disagree with you, which is fine, we
always know we can't please everyone.

greg k-h




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux