Received: by 2002:a05:6500:1b8f:b0:1fa:5c73:8e2d with SMTP id df15csp1235048lqb; Thu, 30 May 2024 04:44:46 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVR+ustbJCAGbskYdNDlhSYtcHEZ5VZjHwdsa34BnmzvBg1Nj05n4iY+O7eZe+OVK4Cyt41YFN6IrmUs/YoazKFBpaEcseVKEkhP3k6fQ== X-Google-Smtp-Source: AGHT+IEx0IXXVcVtcJCQ1P61L0bhIq8UFzxDBBS3FwC/y9vRrrVDnc33L9LfwXLKqP5URcCK7825 X-Received: by 2002:a17:907:98e:b0:a65:e201:33e with SMTP id a640c23a62f3a-a65e88126dcmr172642566b.0.1717069486008; Thu, 30 May 2024 04:44:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1717069485; cv=none; d=google.com; s=arc-20160816; b=bW5I6mkIhudqNgBvO73C70dDWE1Jm5ocbuh/7Bzb2AOyrhQXYF0RfQMSwG1o5VyeFG 7TL0prFsAJjfumWLYMpfzXJF06LTYwR/eqhOHiWntcj42SvhMoX4e8FnrHv47OVnL81a E12gSfB71dFwGFNj5EvNmlioLi+PlAMejXPLPIDU/2qlXntOGGd1sjijBdnllAa1aVli nekFmLVW6kvGkdUv0X2yEMVqKOdM48XFBMgY4kVgjIX3MK4NApnWojimF6IAoa+T3wH4 oQdKEz3IBTZWx69LmLFmgjJW9j7wZ8vbm8i4Mg6hr1e+X1ANXj5oy+kLFh9J+MMGqjYu N2gQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:content-disposition:mime-version:references :message-id:cc:to:from:date:dkim-signature:delivered-to:delivered-to :reply-to:list-id:list-subscribe:list-unsubscribe:list-help :list-post:precedence:mailing-list; bh=oNYFnptrhHFc+E35DIpNV0Gef2d7lcueib81/cy4H/s=; fh=K2Rk1+qQMkSZPssYmYi1BkLpXv2O/hQ3Y7czDwnG31g=; b=nXHDfCp0rYndwk4a3MDFlyjcsA59ahQ7j/df9yHIEYOjTkHBX/Lga869lylMSr5XMo eoQ0yT5dQg3Bv3ucn1vd/cVlgumJUJyJOsMM+ivzKeCdL0dHCVuRuxsHeHrOifEuqJj/ KRIFtvQfMfXSje46GFG8vX0+1XFalI4IC3WH3azH1+QMuhw/6osaMWjikW/sxiRcN1VJ r5tyCbq334YFVWkLl8Mp5SDqGNM0b8YieJbZB4yquze6By+QvSHANbrEe4uvxAR+6+Xb j0BJh9quARAs5EC3lhs+MtPejd/8caWdJN4ov/50uM/s0h8zPf8ODZl5+xCZ8ep0vuSO UBtw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@codewreck.org header.s=2 header.b=YzkFqjHd; spf=pass (google.com: domain of oss-security-return-30174-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30174-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codewreck.org Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id a640c23a62f3a-a626cdca337si749502366b.910.2024.05.30.04.44.45 for ; Thu, 30 May 2024 04:44:45 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30174-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@codewreck.org header.s=2 header.b=YzkFqjHd; spf=pass (google.com: domain of oss-security-return-30174-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30174-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codewreck.org Received: (qmail 22035 invoked by uid 550); 30 May 2024 11:44:27 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 23958 invoked from network); 30 May 2024 04:46:10 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=codewreck.org; s=2; t=1717044360; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=oNYFnptrhHFc+E35DIpNV0Gef2d7lcueib81/cy4H/s=; b=YzkFqjHdXcRsqjXTfevkAu5W2siNKYocyDfrR0OMm+NqioB8bXRMpKbKqzzs9gpKLKiSYR sXLVsswpGw3abWtmkSyn51MrC+yBqJlh24RRbZFZJcYm+9Ou6JtHJzXyF8TCXlimPxDpdz DSquStnLXvXnIHNF82a9RcE0qkm+2N90vSGiryrARLWYHY0XWR5DzWHH7mJN3Z9gtL7Kh+ fVTV3STLB8iFY/mGGVWinVUjqPn59yr6ShFbJ+JvVvhC4hNId5/kNZ2SU3Cj9B3IgDdDeY EIr7QQ2ieYTqd9Vc/8Nu40pJgEWp31NWu2JpoJO6ATJe7heeMNmoi0A8XPuHzQ== Date: Thu, 30 May 2024 13:45:39 +0900 From: Dominique Martinet To: Greg Kroah-Hartman Cc: oss-security@lists.openwall.com Message-ID: References: <2024052926-moneyless-applause-a95b@gregkh> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <2024052926-moneyless-applause-a95b@gregkh> Subject: Re: [oss-security] List linux CVEs for a given stable release? Greg Kroah-Hartman wrote on Wed, May 29, 2024 at 09:23:50PM +0200: > > The information is there in the json files, so it's just a matter of > > writing some scripts to check them, but I can't believe there's none so > > I probably have missed something. > > > > Does someone have such a script that'd list the latest CVEs for a given > > tree? > > How about something as simple as the following to see what is in > 5.10.101: > > for id in $(git log --format="%H" v5.10.100..v5.10.101); do > cve=$(cve_search ${id}) > cve_found=$? > if [[ "${cve_found}" == "0" ]]; then (pedantic: `if cve=$(cve_search "$id"); then` is a bit simpler/failproof) > echo "${cve} is in range" > fi > done That's roughly what I had done earlier this week (handpicking the commits that could impact our users), but this doesn't address my second point as it won't catch any new CVE introduced before that tree that wasn't fixed. (also probably a bit more efficient to go by version tag since we have the info in the json, more below) > > My motivation here is double: > > - We notify our users of notable CVEs fixed on every update to encourage > > them to upgrade every time (it's sad, but in the embedded world not > > updating is still the norm despite our efforts to make upgrades as > > painless as possible... New regulations are coming so hopefully that > > will slowly improve, but as of now such motivations help) > > The issue is, CVEs are assigned usually long _AFTER_ the stable release > has happened. So if you want to do this type of report for the latest > stable release, it will look like there are no CVEs. But if you wait a > few weeks, suddenly that old release will have many CVEs assigned to > them. > > This is just due to the process we currently have where we review each > commit in the stable releases to determine if a CVE should be assigned > or not. Obviously this takes time and we are running a few weeks behind > the current releases. > > So you would have to run the script a lot, to keep it up to date, which > is why a "how many CVEs are listed in the latest release" isn't really > going to be all that valuable to your users. Right; I don't need this to be 100% complete -- as long as a couple of issues turn up it's probably good enough motivation. In practice just listing a bunch of numbers probably won't change the way people think, so I'm taking the time to briefly describe potential impacts (what component, very broad trigger conditions e.g. network packet or local access, likely risk if exploited e.g. RCE, memory leak...); so ultimately it requires looking at things in more details than I have time to check for all CVEs and will likely keep checking a few "juicy" ones... But it's a very good point, we should check again regularly and update that list if some new bad thing stands out. > > - I'm currently not watching patches entering newer stable branches as > > closely, so if there are any new CVEs not fixed in the latest 5.10 I'd > > like to check if some impact us and will help with backports as possible > > (we're a small company so my time is limited, but might as well give > > back when I can) > > That would be great, for where we know, we list when a vulnerability was > added to the tree, and where it was fixed. That can leave many branches > still vulnerable where we have not fixed the issue yet. One example > would be CVE-2024-26629. > > You can see these in our repo by just doing: > git grep "5\.10" | grep introduced | grep -v fixed I didn't think of checking the mails, that's certainly easier to grep than json as it's line-oriented. It's going to take a bit more of processing to check not just bugs that were backported in the stable trees, but things introduced in earlier kernels... Someting like this? rg -l 'Issue introduced in ([234]\.[0-9]* |5\.[0-9] |5\.10\.[0-9]* )' | sort > introduced_before_5.10 xargs rg -l 'fixed in 5\.10' < introduced_before_5.10 | sort > fixed_in_5.10 comm -3 introduced_before_5.10 fixed_in_5.10 |tail cve/published/2024/CVE-2024-35844.mbox cve/published/2024/CVE-2024-35904.mbox cve/published/2024/CVE-2024-35951.mbox cve/published/2024/CVE-2024-35971.mbox cve/published/2024/CVE-2024-36009.mbox cve/published/2024/CVE-2024-36013.mbox grep 'Issue introdu' cve/published/2024/CVE-2024-35971.mbox Issue introduced in 5.8 with commit 797047f875b5 and fixed in 6.1.87 with commit 492337a4fbd1 Issue introduced in 5.8 with commit 797047f875b5 and fixed in 6.6.28 with commit cba376eb036c Issue introduced in 5.8 with commit 797047f875b5 and fixed in 6.8.7 with commit 49d5d70538b6 Issue introduced in 5.8 with commit 797047f875b5 and fixed in 6.9 with commit be0384bf599c The regex is a bit too manual to make a generic search script, and that feels very kludgy (at least mbox files do look like they get updated together with json), but that can be enough for my local needs for now. I was thinking something more along the line of parsing all the json files for containers.cna.affected by release version item (versionType != git); It should be possible for a given stable tag to check if a given CVE applies or not immediately so it would be a matter of making this a bit more searchable -- probably make a reverse index with all the edges for faster search and keep appending new CVEs as they pop up. But it's a bit more work, so I'll gratefully take the grep mailboxes version for now :) > But note that for some issues, we don't have the information for when > they are introduced, so if they are not fixed in the 5.10 branch, does > that mean the branch _is_ vulnerable, or is not? One example of a "is > not" might be CVE-2024-35867 as we think the code isn't present in 5.10, > but we don't have an automated way of determining that. So that would > take more work than just a simple grep of the tree. Yes, these (basically patches without a Fixes:) will always be problematic; basically would need to also check all mails with "Fixed in [newer versions]" without the "Issue introduced in" text. Capitalization on Fixed can differentiate this so something like this? rg -l 'Issue introduced in ([234]\.[0-9]* |5\.[0-9] |5\.10\.[0-9]* )|Fixed in' This is bringing up the list of candidates from 101 to 543 so the initial check is going to be "fun"; I'll probably stick to the first variant for now... Also, in this case the json properly defaults to affected so a search by json as suggested above would also turn them up for further inspection. Well, either way we won't get around the problem that much manual work is still required; as said in my first mail my time is quite limited but I'll try to check a few from time to time. Ideally we'll want to limit duplicating this work for other downstreams... So: - get more people to look at these - if unaffected (e.g. CVE-2024-35867 you singled out above as not affecting 5.10), report it so the reference files can be updated - if affected backport patch, so it can be fixed and the refernece file can also be updated. - less work for everyone else! But finding volunteers for that kind of work might not be quite as easy as I make it sound like :) Cheers, -- Dominique Martinet | Asmadeus