bboreham, 3 months ago

@RichiH it says how to ask for a fix to be assigned a CVE, so clearly every fix will not get a CVE automatically.

RichiH, 3 months ago

@bboreham it says how to get additional ones, but the language is clear:

> Because of this, the CVE assignment team is overly cautious and
> +assign CVE numbers to any bugfix that they identify
> [...]
> assignment will only automatically happen after a fix
> +is available and applied to a stable kernel tree, and it will be tracked
> +that way by the git commit id of the original fix.

I'd love to be wrong.

bboreham, 3 months ago

@RichiH you seem to be reading “any bugfix that they identify” as “every bugfix”, while Greg is saying that CVEs will be assigned for bugfixes that relate to security.

RichiH, 3 months ago

@bboreham I am not seeing that reading, as it's clearly stated "almost any bug might be exploitable to compromise the security of the kernel" and thus "the CVE assignment team is overly cautious and assign[s] CVE numbers to any bugfix that they identify"

The LKML thread walks back on this, but the fact that there's a thread seems proof that several people read it similarly to how I read it

The passive aggressive phrasing of the policy does not bode well, either

Again, I would love to be wrong

JmbFountain, 3 months ago

@RichiH in a later response to a SUSE engineer GKH clarifies it a lot:

https://lore.kernel.org/lkml/2024021459-trimness-bolt-7185@gregkh/

RichiH, 3 months ago

@JmbFountain I discussed this topic with Greg-KH in the past; we ended up very much not agreeing.

This is less an explanation and more a completely different plan as it goes explicitly against the written policy.

I certainly hope that they will end up not implementing it as written, but why write it that way then?

RichiH, 3 months ago

The rest of the industry is moving to "unless you have a PoC in hand, it's not an exploit" for very good reasons. Anyone maintaining any open source project knows the pain of random people running scanners without skill or understanding and demanding free labor. Or the bug bounty beggars. And yes, NVD is a clown show.

But flooding everything with shit is not the answer.

sakjur, 3 months ago

@RichiH On the other hand, maybe this will finally break the thin thread of awfulness that is the NVD and leave room for a more reasonable replacement?

Hard to think of what that’d be like, but maybe the notion of reporting every bug and having some sort of extension per ecosystem that’d let you validate whether your implementation is possibly vulnerable where that’s possible. Something that’d allow static analysis to be made with higher quality 🤔

RichiH, 3 months ago

@sakjur NVD is a clown show, but I do not believe that breaking the CVE process at large is the fix for that.

And as the stated intention is to challenge any external CVEs, they could arguably do without that.

But they need to publish CVE to have good standing to do that. And there's an easy or a correct way to do that.

RichiH, 3 months ago

All of this reminds me of the infamous talk Linus gave at Google, presenting this new thing called Git.. "SHA1 might not be considered secure any more, but I can use it as it's not security relevant <20 minutes later> and if I lose my computer I can simply copy my kernel repository from anywhere and just compare the commit id in HEAD and trust that everything is correct"

With people as smart as the core kernel folks are, it's hard to find a good faith interpretation.