Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 25 May 2018 16:59:11 +0200
From: Andrey Konovalov <andreyknvl@...il.com>
To: oss-security@...ts.openwall.com
Cc: Vladis Dronov <vdronov@...hat.com>
Subject: Re: CVE-2018-1130: Linux kernel: dccp: a null pointer
 dereference in net/dccp/output.c:dccp_write_xmit

On Fri, May 25, 2018 at 3:49 PM, Kurt Seifried <kseifried@...hat.com> wrote:
> On Fri, May 25, 2018 at 4:48 AM, Andrey Konovalov <andreyknvl@...il.com>
> wrote:
>> Hi Kurt,
>>
>> Perhaps I should've been more clear. I wasn't asking "what qualifies
>> for a CVE?", but rather "There are a 100 bugs that qualify for CVEs,
>> how do single out 10 of them to actually request CVEs for?".
>>
>
> So if a security vulnerability qualifies for CVE INCLUSION (see
> https://cve.mitre.org/cve/editorial_policies/counting_rules.html) the next
> step is to SPLIT and MERGE the vulns as needed. Esentially what we want is
> to end up with buckets where each bucket of vulnerability(s) is:
>
> 1) unique to a specific code base
> 2) unique to a specific version(s)(*)
> 3) the same root cause (this is where you have to do homework)
>
> * Note: the version thing, obviously the affected versions/commits for
> these will be different in the Linux kernel and so by this rule, strictly
> speaking each vuln would get it's own CVE, but in general if they all
> affect the same broad version of the Linux Kernel they can be bucketed
> together.
>
> So assuming the homework is done of properly identifying and classifying
> these security vulnerabilities then you can simply request CVE's for all of
> them, the worst ones, or whatever you want. I would of course prefer that
> all of them be identified/tracked but that's just me.

Nevermind, you're missing the point of what I'm asking :)

>> In particular, the 100 bugs that I'm referring to are the bugs
>> reported by syzbot (perhaps there's even more:
>> https://syzkaller.appspot.com/?fixed=upstream) and the 10 bugs (or so)
>> are the ones Vladis announced on oss-security over the last few
>> months. I'm just curious how did he choose those 10 bugs out of that
>> 100+.
>>
>
> You'd have to ask him.

That's exactly what I did.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ