[Ksummit-discuss] [MAINTAINERS SUMMIT] CVE patches annotation
Takashi Iwai
tiwai at suse.de
Tue Sep 11 12:00:58 UTC 2018
On Tue, 11 Sep 2018 13:57:09 +0200,
Justin Forbes wrote:
>
> On Mon, Sep 10, 2018 at 8:11 PM, Eduardo Valentin <edubezval at gmail.com> wrote:
> > Hello,
> >
> > I would like to open a discussion on improving the annotation
> > around CVE patches on the Linux kernel. Today, the kernel Documentation
> > mentions about CVE assignment and asks as a good practice to at least
> > mention the CVE number in the patch [1]. But, is that enough?
> > Should the kernel have more info about what patches fixes a specific
> > CVE?
> >
> > Some of the challenges with current process:
> > - The info about of about what CVEs have been patched in a kernel is
> > outside the kernel tree / git history.
> > - Today, some patches have the CVE info, and many others do not mention
> > anything about CVE number.
> > - As mentioned in the kernel documentation [1], not always the CVE
> > number is assigned when the patch(es) go into the kernel tree, so
> > maybe this may require some post merge annotation?
>
> This is also sometimes relevant when you can fix and embargoed CVE
> before embargo lifts because the actual fix doesn't make it obvious
> that there is a security issue. Obfuscation is a somewhat useful tool
> when fixing security bugs sometimes. I would rather get the patches
> in sooner than have them be properly annotated for the security fixes
> they really are.
I hoped that git-notes could be used for such additional post-release
notes. But it seems that it never flies well due to various
reasons...
Takashi
More information about the Ksummit-discuss
mailing list