Re: Missing critical patches of several high-risk bugs
On Thu, May 13, 2021 at 10:22:05PM -0700, syzscope sys wrote: > I just found out that Ubuntu is on the CVE CNA list. > Do you think it's possible that Ubuntu could assign the CVEs for those > issues directly instead of asking Google? Once the CVE is assigned, it > should also not only benefit Ubuntu but also other potentially affected > kernels. Yes, Ubuntu is a CNA -- it's one of my roles. :) I suggested using one of Google's CNAs for a few reasons: - Google has vastly more resources than we do. Doing a decent job of assigning CVEs takes time and effort, and we're already trying to do too much with too few resources. Taking on the essentially unbounded amount of work of "assign CVEs for all syzkaller findings" is simply speaking not a commitment that I can make. - Google's syzkaller and infrastructure is already doing the work to find and publicise the issues; it's quite common for vulnerability discoverers to use their own internal CNA resources for this. I know Canonical, and Ubuntu users, would be better off if someone assigned CVEs to these findings. It's just not something I can commit to doing because of the scale of work involved. Thanks signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Missing critical patches of several high-risk bugs
Hi Seth, I just found out that Ubuntu is on the CVE CNA list. Do you think it's possible that Ubuntu could assign the CVEs for those issues directly instead of asking Google? Once the CVE is assigned, it should also not only benefit Ubuntu but also other potentially affected kernels. On Tue, May 11, 2021 at 6:57 PM Seth Arnold wrote: > On Fri, May 07, 2021 at 05:47:51PM -0700, SyzScope wrote: > > This is SyzScope, a research project that aims to reveal high-risk > > primitives from a low-risk bug. > > Hello, this is pretty cool stuff. Continuing on 'executing' beyond the > point when ASAN has given up has given some pretty cool results. > > I think the best way to get the most benefit out of this work is to > prioritize requesting CVEs for these issues with the Google CNA. Having > these additional details clearly visible to everybody using the CVE > infrastructure would benefit not only Ubuntu but also all our friends > in the other distributions. > > There's two Google CNAs registered with the CVE project: > https://cve.mitre.org/cve/request_id.html > android-cna-t...@google.com > secur...@google.com > > I'll be honest, I don't know which CNA would be better; you may need to > discuss the project with both in order to figure out how to best handle > the work. > > Thanks > -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Missing critical patches of several high-risk bugs
On Fri, May 07, 2021 at 05:47:51PM -0700, SyzScope wrote: > This is SyzScope, a research project that aims to reveal high-risk > primitives from a low-risk bug. Hello, this is pretty cool stuff. Continuing on 'executing' beyond the point when ASAN has given up has given some pretty cool results. I think the best way to get the most benefit out of this work is to prioritize requesting CVEs for these issues with the Google CNA. Having these additional details clearly visible to everybody using the CVE infrastructure would benefit not only Ubuntu but also all our friends in the other distributions. There's two Google CNAs registered with the CVE project: https://cve.mitre.org/cve/request_id.html android-cna-t...@google.com secur...@google.com I'll be honest, I don't know which CNA would be better; you may need to discuss the project with both in order to figure out how to best handle the work. Thanks signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel