Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp633978rdb; Thu, 15 Feb 2024 10:20:49 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUTPp1dPt0VnsozKTiwI78hL7m/yyUpV52vhWsvltyw4J53U7Q2EM/723d8Xs4aAlvrVOIoIAzYC5VGqrp8K+CAbuXI0dTx75VXQ8yCGA== X-Google-Smtp-Source: AGHT+IFqW86FZnGSsjSrg1eGmot3CKYaHlXjjYvwa5k57k9Sjhp7h6Xj9r87RdVULRIsdGt3DHwc X-Received: by 2002:a0c:9a91:0:b0:68c:4ab9:4620 with SMTP id y17-20020a0c9a91000000b0068c4ab94620mr2050470qvd.42.1708021249413; Thu, 15 Feb 2024 10:20:49 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708021249; cv=pass; d=google.com; s=arc-20160816; b=qx8y1eb61NMhe88i8jfGGm+2/qo7vDcd0g8knyZgqQkxqihUzI2ryQ/oP0GBxE4U+C 8sototb/oS6k3oZESFnVWf0NzE21HvJ85dr5+pPwros69Myl1xIDG7EPAxCPSLe01Zmn aSM1vINDL9P9eMBUXL3W2Rq932D3vZ0JZ0XvZr1kZOhZ4eMWW+8epc3ODFPZC67syWd5 WtMB+3ddDwIg+p/ySB0oNlDwvz3m1O03KYHou5Vq454FuE1rsVvtYcYrs6L/IjY3njK9 GJIZfvhIhaeus8MoneIJnbZlZDhVb/4EdkEABsfZ5X4BwU0jdkE7cEQdsNtulcykEgKQ hGVA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=e3IwZWLbcFZElj/BVlRtaYC8gfgDwq/8Emk6f37BMTo=; fh=MegolTgbrXE95LLri+qIhUr//oFpYl0PvsBCIxRMz2M=; b=VkFxlz8F+UAaM6/CqSi5k314CJ5iLW6IaA2NGkzTbn1ppwccsJ26/T5mqf4XXDYelY xph+R5HW5RJsScjwODxEDV3+aZ9fSGZeVErq7WZCe0lJ1vp8yG1Ovmj22en1YheYFqMj W9xQ9FqnAdCwKRCRwOKKt33RxfaoylsW4e3Y+4p29IGqFEEr4x1fAo8RVNv+GXAlaDEO DLEiA+qdtxbQu3cOvXW5quq2IlIPiucXdlc3xZO6I3tRESqqxEkignrK3z3OsJDal2gJ Viu3KzW51T+rUCp+NOJ2Op3QlLPVLgJdhq6FiT6n9F4K68RefEfYllzIiG00QAFi7DDl qVJA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ChKhQcmg; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-67486-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-67486-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id jo18-20020a056214501200b0068f0262df29si2077571qvb.163.2024.02.15.10.20.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Feb 2024 10:20:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-67486-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ChKhQcmg; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-67486-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-67486-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id A0A161C22127 for ; Thu, 15 Feb 2024 18:20:20 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DB19A1386AA; Thu, 15 Feb 2024 18:20:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="ChKhQcmg" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E94AA138494; Thu, 15 Feb 2024 18:20:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708021213; cv=none; b=SoJfdTkUtEb7d+j9XC566Zw4NF4LHaCMNFp2xOMPOQ/0iXQa8ehlMU/cs/5M/IBmvB4TzF7UcCWuPjm6Ksj78wBwGAFiPD+3MRRYWdUi95jVBiukpWux9QowVGxDDR6kn0hLGiLEBupcSgWxgOEEZGVfDgPrHjYwvOR8hV23n0s= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708021213; c=relaxed/simple; bh=MRpnfen0ZWzFE1XgOJl3rOhrZAuKnsTO4m98xqLleB4=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=fhS9mkpksi7/bJzeqqMssnQv/3scNh5q+lvZA/CG4DMCrNFSL4Oun5al+neq3SO0ShRfBg6Bx6WjAvuPS6z1Dvo8o5GHB5X2DLxTh8C7OR44aXQvm5OGmeY4em8WCBcO+jDPhu/VO+qMsONEVR/dOpc/6JEs6VQjCKtAv4Mx2OU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=ChKhQcmg; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 34BD6C433F1; Thu, 15 Feb 2024 18:20:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1708021212; bh=MRpnfen0ZWzFE1XgOJl3rOhrZAuKnsTO4m98xqLleB4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ChKhQcmgGqA6GFHftkDnUBYu6M7+wQHviAPSGU/IFcTDAMb1OhJOZQQzR5dzuV6mA gIv+WZ03dRCVJYSNF3+4/WMls04NKNb6AlgKcKUiDMZSFO1M9FaoiY5xY7YvwkpkT3 khAin5KoLw3zBv1AFV3eVlHzHP68V6JGbPdFxsVc= Date: Thu, 15 Feb 2024 19:20:09 +0100 From: Greg Kroah-Hartman To: Michal Hocko Cc: corbet@lwn.net, workflows@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, security@kernel.org, Kees Cook , Sasha Levin , Lee Jones Subject: Re: [PATCH v3] Documentation: Document the Linux Kernel CVE process Message-ID: <2024021518-stature-frightful-e7fc@gregkh> References: <2024021430-blanching-spotter-c7c8@gregkh> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Thu, Feb 15, 2024 at 06:54:17PM +0100, Michal Hocko wrote: > On Wed 14-02-24 09:00:30, Greg KH wrote: > [...] > > +Process > > +------- > > + > > +As part of the normal stable release process, kernel changes that are > > +potentially security issues are identified by the developers responsible > > +for CVE number assignments and have CVE numbers automatically assigned > > +to them. These assignments are published on the linux-cve-announce > > +mailing list as announcements on a frequent basis. > > + > > +Note, due to the layer at which the Linux kernel is in a system, almost > > +any bug might be exploitable to compromise the security of the kernel, > > +but the possibility of exploitation is often not evident when the bug is > > +fixed. Because of this, the CVE assignment team is overly cautious and > > +assign CVE numbers to any bugfix that they identify. This > > +explains the seemingly large number of CVEs that are issued by the Linux > > +kernel team. > > Does the process focus only on assigning CVE numbers to a given upstream > commit(s) withou any specifics of the actual security threat covered by > the said CVE? Outside of the git commit text, no, we are not going to be adding anything additional to the report, UNLESS someone wants to add additional text to it, and then we will be glad to update a CVE entry with the additional information. Here's an example of what the CVE announcement is going to look like for a "test" that we have been doing for our scripts https://lore.kernel.org/linux-cve-announce/2024021353-drainage-unstuffed-a7c0@gregkh/T/#u Note, I am NOT saying this is a valid CVE-like commit, I only chose it because it is a type of entry that our tools need to handle properly (one where the fix was for a commit that was only in a stable tree, and mainline never saw the problem.) There are many different "styles" of fixes that we need to handle when it comes to version information. It will also be in JSON format on the cve.org site if you wish to parse it automatically with tools. We are still working out the proper format of the JSON entries of the version information and should hopefully have an agreement of how to do this early next week, as the logic there isn't exactly "simple". If the announcement format needs additional work, please let us know. thanks, greg k-h