Hi Kalle,
Due to recent events we were asked about some vulnerability fixes for
brcmfmac. We already fixed a couple of things without referring to a
so-called CVE-ID, which is what people are asking for. Do we have a
upstream policy on that? I could not really find anything in the
Documentation folder (but I may have overlooked it). Might be worth
mentioning in the commit message like with the coverity ids.
Regards,
Arend
On Thu, 2017-09-07 at 10:40 +0200, Arend van Spriel wrote:
> Hi Kalle,
>
> Due to recent events we were asked about some vulnerability fixes
> for
> brcmfmac. We already fixed a couple of things without referring to a
> so-called CVE-ID, which is what people are asking for. Do we have a
> upstream policy on that? I could not really find anything in the
> Documentation folder (but I may have overlooked it). Might be worth
> mentioning in the commit message like with the coverity ids.
Sure.
git log --grep "CVE-"
shows it being done frequently.
johannes
On Thu, 2017-09-07 at 11:38 +0200, Arend van Spriel wrote:
>
> Ok. So doing this I see a number of instances where the CVE-ID is
> mentioned in the commit message, but there are also instances that
> use the 'Fixes:' tag. Does it make sense to use that or does it
> serve another purpose?
Huh, I don't think that makes sense - the Fixes: tag should be for the
commit that introduced the bug. I guess parsers will have to ignore
garbage so it's probably safe, but I don't think you could mine for CVE
fixes that way anyway ...
johannes
On 07-09-17 11:40, Johannes Berg wrote:
> On Thu, 2017-09-07 at 11:38 +0200, Arend van Spriel wrote:
>>
>> Ok. So doing this I see a number of instances where the CVE-ID is
>> mentioned in the commit message, but there are also instances that
>> use the 'Fixes:' tag. Does it make sense to use that or does it
>> serve another purpose?
>
> Huh, I don't think that makes sense - the Fixes: tag should be for the
> commit that introduced the bug. I guess parsers will have to ignore
> garbage so it's probably safe, but I don't think you could mine for CVE
> fixes that way anyway ...
Indeed. I see a lot of different ways in which the CVE-IDs are
referenced, which makes mining for a list of CVE-IDs between releases
hard. Seems like a useful thing to have though, but people may grow
tired of all the different tags :-p
Regards,
Arend
Arend van Spriel <[email protected]> writes:
> Due to recent events we were asked about some vulnerability fixes for
> brcmfmac. We already fixed a couple of things without referring to a
> so-called CVE-ID, which is what people are asking for. Do we have a
> upstream policy on that? I could not really find anything in the
> Documentation folder (but I may have overlooked it). Might be worth
> mentioning in the commit message like with the coverity ids.
Johannes already answered, but I'll just add that this is all I know
about security patches:
If you have a patch that fixes an exploitable security bug, send that
patch to [email protected]. For severe bugs, a short embargo may be
considered to allow distributors to get the patch out to users; in
such cases, obviously, the patch should not be sent to any public
lists.
https://www.kernel.org/doc/html/latest/process/submitting-patches.html
I don't know if you should follow that in this case or not, just wanted
to point out this.
--
Kalle Valo
On 07-09-17 10:59, Johannes Berg wrote:
> On Thu, 2017-09-07 at 10:40 +0200, Arend van Spriel wrote:
>> Hi Kalle,
>>
>> Due to recent events we were asked about some vulnerability fixes
>> for
>> brcmfmac. We already fixed a couple of things without referring to a
>> so-called CVE-ID, which is what people are asking for. Do we have a
>> upstream policy on that? I could not really find anything in the
>> Documentation folder (but I may have overlooked it). Might be worth
>> mentioning in the commit message like with the coverity ids.
>
> Sure.
>
> git log --grep "CVE-"
>
> shows it being done frequently.
Right. Failed to do the obvious ;-)
Thanks,
Arend
On 07-09-17 14:34, Kalle Valo wrote:
> Arend van Spriel <[email protected]> writes:
>
>> Due to recent events we were asked about some vulnerability fixes for
>> brcmfmac. We already fixed a couple of things without referring to a
>> so-called CVE-ID, which is what people are asking for. Do we have a
>> upstream policy on that? I could not really find anything in the
>> Documentation folder (but I may have overlooked it). Might be worth
>> mentioning in the commit message like with the coverity ids.
>
> Johannes already answered, but I'll just add that this is all I know
> about security patches:
>
> If you have a patch that fixes an exploitable security bug, send that
> patch to [email protected]. For severe bugs, a short embargo may be
> considered to allow distributors to get the patch out to users; in
> such cases, obviously, the patch should not be sent to any public
> lists.
>
> https://www.kernel.org/doc/html/latest/process/submitting-patches.html
>
> I don't know if you should follow that in this case or not, just wanted
> to point out this.
I see. I thought [email protected] was just to report exploitable
security bugs. Thanks for the pointer.
Regards,
Arend
On 07-09-17 10:59, Johannes Berg wrote:
> On Thu, 2017-09-07 at 10:40 +0200, Arend van Spriel wrote:
>> Hi Kalle,
>>
>> Due to recent events we were asked about some vulnerability fixes
>> for
>> brcmfmac. We already fixed a couple of things without referring to a
>> so-called CVE-ID, which is what people are asking for. Do we have a
>> upstream policy on that? I could not really find anything in the
>> Documentation folder (but I may have overlooked it). Might be worth
>> mentioning in the commit message like with the coverity ids.
>
> Sure.
>
> git log --grep "CVE-"
>
> shows it being done frequently.
Ok. So doing this I see a number of instances where the CVE-ID is
mentioned in the commit message, but there are also instances that use
the 'Fixes:' tag. Does it make sense to use that or does it serve
another purpose?
Regards,
Arend