Date: Fri, 25 May 2018 16:59:11 +0200 From: Andrey Konovalov <andreyknvl@...il.com> To: oss-security@...ts.openwall.com Cc: Vladis Dronov <vdronov@...hat.com> Subject: Re: CVE-2018-1130: Linux kernel: dccp: a null pointer dereference in net/dccp/output.c:dccp_write_xmit On Fri, May 25, 2018 at 3:49 PM, Kurt Seifried <kseifried@...hat.com> wrote: > On Fri, May 25, 2018 at 4:48 AM, Andrey Konovalov <andreyknvl@...il.com> > wrote: >> Hi Kurt, >> >> Perhaps I should've been more clear. I wasn't asking "what qualifies >> for a CVE?", but rather "There are a 100 bugs that qualify for CVEs, >> how do single out 10 of them to actually request CVEs for?". >> > > So if a security vulnerability qualifies for CVE INCLUSION (see > https://cve.mitre.org/cve/editorial_policies/counting_rules.html) the next > step is to SPLIT and MERGE the vulns as needed. Esentially what we want is > to end up with buckets where each bucket of vulnerability(s) is: > > 1) unique to a specific code base > 2) unique to a specific version(s)(*) > 3) the same root cause (this is where you have to do homework) > > * Note: the version thing, obviously the affected versions/commits for > these will be different in the Linux kernel and so by this rule, strictly > speaking each vuln would get it's own CVE, but in general if they all > affect the same broad version of the Linux Kernel they can be bucketed > together. > > So assuming the homework is done of properly identifying and classifying > these security vulnerabilities then you can simply request CVE's for all of > them, the worst ones, or whatever you want. I would of course prefer that > all of them be identified/tracked but that's just me. Nevermind, you're missing the point of what I'm asking :) >> In particular, the 100 bugs that I'm referring to are the bugs >> reported by syzbot (perhaps there's even more: >> https://syzkaller.appspot.com/?fixed=upstream) and the 10 bugs (or so) >> are the ones Vladis announced on oss-security over the last few >> months. I'm just curious how did he choose those 10 bugs out of that >> 100+. >> > > You'd have to ask him. That's exactly what I did.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ