From: Justin Forbes <jforbes@redhat.com>
To: Eduardo Valentin <edubezval@gmail.com>
Cc: ksummit <ksummit-discuss@lists.linuxfoundation.org>
Subject: Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] CVE patches annotation
Date: Tue, 11 Sep 2018 06:57:09 -0500 [thread overview]
Message-ID: <CAFbkSA2spzRzya=ftfTxK3Wca=wnNwg7x2o+rM5s8s201=R3Rw@mail.gmail.com> (raw)
In-Reply-To: <20180911011056.GA6958@localhost.localdomain>
On Mon, Sep 10, 2018 at 8:11 PM, Eduardo Valentin <edubezval@gmail.com> wrote:
> Hello,
>
> I would like to open a discussion on improving the annotation
> around CVE patches on the Linux kernel. Today, the kernel Documentation
> mentions about CVE assignment and asks as a good practice to at least
> mention the CVE number in the patch [1]. But, is that enough?
> Should the kernel have more info about what patches fixes a specific
> CVE?
>
> Some of the challenges with current process:
> - The info about of about what CVEs have been patched in a kernel is
> outside the kernel tree / git history.
> - Today, some patches have the CVE info, and many others do not mention
> anything about CVE number.
> - As mentioned in the kernel documentation [1], not always the CVE
> number is assigned when the patch(es) go into the kernel tree, so
> maybe this may require some post merge annotation?
This is also sometimes relevant when you can fix and embargoed CVE
before embargo lifts because the actual fix doesn't make it obvious
that there is a security issue. Obfuscation is a somewhat useful tool
when fixing security bugs sometimes. I would rather get the patches
in sooner than have them be properly annotated for the security fixes
they really are.
> - It is not always straight forward to know what patches are needed to
> fix the CVE, specially on cases the fix require a series of
> preparation work before the actual fix.
>
> Specially on the later case, annotation can help, specially while
> backporting.
>
It might be helpful in the cases where the fixes go in before the CVE
is announced/disclosed, to have the author send a summary once things
are public?
> BR,
>
>
> [1] - https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html
next prev parent reply other threads:[~2018-09-11 11:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-11 1:11 Eduardo Valentin
2018-09-11 11:57 ` Justin Forbes [this message]
2018-09-11 12:00 ` Takashi Iwai
2018-09-11 14:21 ` Greg KH
2018-09-11 14:35 ` Dan Carpenter
2018-09-11 14:37 ` Takashi Iwai
2018-09-11 14:45 ` Leon Romanovsky
2018-09-11 15:02 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFbkSA2spzRzya=ftfTxK3Wca=wnNwg7x2o+rM5s8s201=R3Rw@mail.gmail.com' \
--to=jforbes@redhat.com \
--cc=edubezval@gmail.com \
--cc=ksummit-discuss@lists.linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox