Date: Tue, 1 May 2018 01:17:36 +0300 From: Alexander Popov <alex.popov@...ux.com> To: Kurt Seifried <kseifried@...hat.com>, oss-security <oss-security@...ts.openwall.com> Cc: Kees Cook <keescook@...omium.org>, "Serge E. Hallyn" <serge@...lyn.com>, Brad Spengler <spender@...ecurity.net>, PaX Team <pageexec@...email.hu>, James Morris <jmorris@...ei.org>, "Reshetova, Elena" <elena.reshetova@...el.com> Subject: Re: Re: Linux Kernel Defence Map On 05.04.2018 02:55, Kurt Seifried wrote: > Please use a CWE identifier if one exists (https://cwe.mitre.org/), if one > doesn't exist perhaps we should have one (email me and I'm happy to help get > that ball rolling). Having a CWE not only helps categorize things correctly but > gives us something to point developers at for resources around flaws and how > they can be avoided/dealt with/etc. Hello Kurt, I've just added the corresponding CWE IDs to the vulnerability classes showed on the map: https://github.com/a13xp0p0v/linux-kernel-defence-map It think there is only one vuln class that misses a CWE ID -- Stack Depth Overflow. We currently have CWE-674 (Uncontrolled Recursion), but it doesn't cover the Stack Clash case, which also refers to Stack Depth Overflow. Best regards, Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ