[Ksummit-discuss] [MAINTAINERS SUMMIT] CVE patches annotation
Justin Forbes
jforbes at redhat.com
Tue Sep 11 11:57:09 UTC 2018
On Mon, Sep 10, 2018 at 8:11 PM, Eduardo Valentin <edubezval at gmail.com> wrote:
> Hello,
>
> I would like to open a discussion on improving the annotation
> around CVE patches on the Linux kernel. Today, the kernel Documentation
> mentions about CVE assignment and asks as a good practice to at least
> mention the CVE number in the patch [1]. But, is that enough?
> Should the kernel have more info about what patches fixes a specific
> CVE?
>
> Some of the challenges with current process:
> - The info about of about what CVEs have been patched in a kernel is
> outside the kernel tree / git history.
> - Today, some patches have the CVE info, and many others do not mention
> anything about CVE number.
> - As mentioned in the kernel documentation [1], not always the CVE
> number is assigned when the patch(es) go into the kernel tree, so
> maybe this may require some post merge annotation?
This is also sometimes relevant when you can fix and embargoed CVE
before embargo lifts because the actual fix doesn't make it obvious
that there is a security issue. Obfuscation is a somewhat useful tool
when fixing security bugs sometimes. I would rather get the patches
in sooner than have them be properly annotated for the security fixes
they really are.
> - It is not always straight forward to know what patches are needed to
> fix the CVE, specially on cases the fix require a series of
> preparation work before the actual fix.
>
> Specially on the later case, annotation can help, specially while
> backporting.
>
It might be helpful in the cases where the fixes go in before the CVE
is announced/disclosed, to have the author send a summary once things
are public?
> BR,
>
>
> [1] - https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html
More information about the Ksummit-discuss
mailing list