using vulnerability ids in patches

Linux wireless drivers development
 help / color / mirror / Atom feed

* using vulnerability ids in patches
@ 2017-09-07  8:40 Arend van Spriel
  2017-09-07  8:59 ` Johannes Berg
  2017-09-07 12:34 ` Kalle Valo
  0 siblings, 2 replies; 8+ messages in thread
From: Arend van Spriel @ 2017-09-07  8:40 UTC (permalink / raw)
  To: Kalle Valo; +Cc: linux-wireless

Hi Kalle,

Due to recent events we were asked about some vulnerability fixes for 
brcmfmac. We already fixed a couple of things without referring to a 
so-called CVE-ID, which is what people are asking for. Do we have a 
upstream policy on that? I could not really find anything in the 
Documentation folder (but I may have overlooked it). Might be worth 
mentioning in the commit message like with the coverity ids.

Regards,
Arend

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: using vulnerability ids in patches
  2017-09-07  8:40 using vulnerability ids in patches Arend van Spriel
@ 2017-09-07  8:59 ` Johannes Berg
  2017-09-07  9:28   ` Arend van Spriel
  2017-09-07  9:38   ` Arend van Spriel
  2017-09-07 12:34 ` Kalle Valo
  1 sibling, 2 replies; 8+ messages in thread
From: Johannes Berg @ 2017-09-07  8:59 UTC (permalink / raw)
  To: Arend van Spriel, Kalle Valo; +Cc: linux-wireless

On Thu, 2017-09-07 at 10:40 +0200, Arend van Spriel wrote:
> Hi Kalle,
> 
> Due to recent events we were asked about some vulnerability fixes
> for 
> brcmfmac. We already fixed a couple of things without referring to a 
> so-called CVE-ID, which is what people are asking for. Do we have a 
> upstream policy on that? I could not really find anything in the 
> Documentation folder (but I may have overlooked it). Might be worth 
> mentioning in the commit message like with the coverity ids.

Sure.

git log --grep "CVE-"

shows it being done frequently.

johannes

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: using vulnerability ids in patches
  2017-09-07  8:59 ` Johannes Berg
@ 2017-09-07  9:28   ` Arend van Spriel
  2017-09-07  9:38   ` Arend van Spriel
  1 sibling, 0 replies; 8+ messages in thread
From: Arend van Spriel @ 2017-09-07  9:28 UTC (permalink / raw)
  To: Johannes Berg, Kalle Valo; +Cc: linux-wireless

On 07-09-17 10:59, Johannes Berg wrote:
> On Thu, 2017-09-07 at 10:40 +0200, Arend van Spriel wrote:
>> Hi Kalle,
>>
>> Due to recent events we were asked about some vulnerability fixes
>> for
>> brcmfmac. We already fixed a couple of things without referring to a
>> so-called CVE-ID, which is what people are asking for. Do we have a
>> upstream policy on that? I could not really find anything in the
>> Documentation folder (but I may have overlooked it). Might be worth
>> mentioning in the commit message like with the coverity ids.
> 
> Sure.
> 
> git log --grep "CVE-"
> 
> shows it being done frequently.

Right. Failed to do the obvious ;-)

Thanks,
Arend

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: using vulnerability ids in patches
  2017-09-07  8:59 ` Johannes Berg
  2017-09-07  9:28   ` Arend van Spriel
@ 2017-09-07  9:38   ` Arend van Spriel
  2017-09-07  9:40     ` Johannes Berg
  1 sibling, 1 reply; 8+ messages in thread
From: Arend van Spriel @ 2017-09-07  9:38 UTC (permalink / raw)
  To: Johannes Berg, Kalle Valo; +Cc: linux-wireless

On 07-09-17 10:59, Johannes Berg wrote:
> On Thu, 2017-09-07 at 10:40 +0200, Arend van Spriel wrote:
>> Hi Kalle,
>>
>> Due to recent events we were asked about some vulnerability fixes
>> for
>> brcmfmac. We already fixed a couple of things without referring to a
>> so-called CVE-ID, which is what people are asking for. Do we have a
>> upstream policy on that? I could not really find anything in the
>> Documentation folder (but I may have overlooked it). Might be worth
>> mentioning in the commit message like with the coverity ids.
> 
> Sure.
> 
> git log --grep "CVE-"
> 
> shows it being done frequently.

Ok. So doing this I see a number of instances where the CVE-ID is 
mentioned in the commit message, but there are also instances that use 
the 'Fixes:' tag. Does it make sense to use that or does it serve 
another purpose?

Regards,
Arend

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: using vulnerability ids in patches
  2017-09-07  9:38   ` Arend van Spriel
@ 2017-09-07  9:40     ` Johannes Berg
  2017-09-07  9:59       ` Arend van Spriel
  0 siblings, 1 reply; 8+ messages in thread
From: Johannes Berg @ 2017-09-07  9:40 UTC (permalink / raw)
  To: Arend van Spriel, Kalle Valo; +Cc: linux-wireless

On Thu, 2017-09-07 at 11:38 +0200, Arend van Spriel wrote:
> 
> Ok. So doing this I see a number of instances where the CVE-ID is 
> mentioned in the commit message, but there are also instances that
> use  the 'Fixes:' tag. Does it make sense to use that or does it
> serve another purpose?

Huh, I don't think that makes sense - the Fixes: tag should be for the
commit that introduced the bug. I guess parsers will have to ignore
garbage so it's probably safe, but I don't think you could mine for CVE
fixes that way anyway ...

johannes

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: using vulnerability ids in patches
  2017-09-07  9:40     ` Johannes Berg
@ 2017-09-07  9:59       ` Arend van Spriel
  0 siblings, 0 replies; 8+ messages in thread
From: Arend van Spriel @ 2017-09-07  9:59 UTC (permalink / raw)
  To: Johannes Berg, Kalle Valo; +Cc: linux-wireless



On 07-09-17 11:40, Johannes Berg wrote:
> On Thu, 2017-09-07 at 11:38 +0200, Arend van Spriel wrote:
>>
>> Ok. So doing this I see a number of instances where the CVE-ID is
>> mentioned in the commit message, but there are also instances that
>> use  the 'Fixes:' tag. Does it make sense to use that or does it
>> serve another purpose?
> 
> Huh, I don't think that makes sense - the Fixes: tag should be for the
> commit that introduced the bug. I guess parsers will have to ignore
> garbage so it's probably safe, but I don't think you could mine for CVE
> fixes that way anyway ...

Indeed. I see a lot of different ways in which the CVE-IDs are 
referenced, which makes mining for a list of CVE-IDs between releases 
hard. Seems like a useful thing to have though, but people may grow 
tired of all the different tags :-p

Regards,
Arend

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: using vulnerability ids in patches
  2017-09-07  8:40 using vulnerability ids in patches Arend van Spriel
  2017-09-07  8:59 ` Johannes Berg
@ 2017-09-07 12:34 ` Kalle Valo
  2017-09-07 19:55   ` Arend van Spriel
  1 sibling, 1 reply; 8+ messages in thread
From: Kalle Valo @ 2017-09-07 12:34 UTC (permalink / raw)
  To: Arend van Spriel; +Cc: linux-wireless

Arend van Spriel <arend.vanspriel@broadcom.com> writes:

> Due to recent events we were asked about some vulnerability fixes for
> brcmfmac. We already fixed a couple of things without referring to a
> so-called CVE-ID, which is what people are asking for. Do we have a
> upstream policy on that? I could not really find anything in the
> Documentation folder (but I may have overlooked it). Might be worth
> mentioning in the commit message like with the coverity ids.

Johannes already answered, but I'll just add that this is all I know
about security patches:

  If you have a patch that fixes an exploitable security bug, send that
  patch to security@kernel.org. For severe bugs, a short embargo may be
  considered to allow distributors to get the patch out to users; in
  such cases, obviously, the patch should not be sent to any public
  lists.

  https://www.kernel.org/doc/html/latest/process/submitting-patches.html

I don't know if you should follow that in this case or not, just wanted
to point out this.

-- 
Kalle Valo

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: using vulnerability ids in patches
  2017-09-07 12:34 ` Kalle Valo
@ 2017-09-07 19:55   ` Arend van Spriel
  0 siblings, 0 replies; 8+ messages in thread
From: Arend van Spriel @ 2017-09-07 19:55 UTC (permalink / raw)
  To: Kalle Valo; +Cc: linux-wireless



On 07-09-17 14:34, Kalle Valo wrote:
> Arend van Spriel <arend.vanspriel@broadcom.com> writes:
> 
>> Due to recent events we were asked about some vulnerability fixes for
>> brcmfmac. We already fixed a couple of things without referring to a
>> so-called CVE-ID, which is what people are asking for. Do we have a
>> upstream policy on that? I could not really find anything in the
>> Documentation folder (but I may have overlooked it). Might be worth
>> mentioning in the commit message like with the coverity ids.
> 
> Johannes already answered, but I'll just add that this is all I know
> about security patches:
> 
>    If you have a patch that fixes an exploitable security bug, send that
>    patch to security@kernel.org. For severe bugs, a short embargo may be
>    considered to allow distributors to get the patch out to users; in
>    such cases, obviously, the patch should not be sent to any public
>    lists.
> 
>    https://www.kernel.org/doc/html/latest/process/submitting-patches.html
> 
> I don't know if you should follow that in this case or not, just wanted
> to point out this.

I see. I thought security@kernel.org was just to report exploitable 
security bugs. Thanks for the pointer.

Regards,
Arend

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2017-09-07 19:55 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-09-07  8:40 using vulnerability ids in patches Arend van Spriel
2017-09-07  8:59 ` Johannes Berg
2017-09-07  9:28   ` Arend van Spriel
2017-09-07  9:38   ` Arend van Spriel
2017-09-07  9:40     ` Johannes Berg
2017-09-07  9:59       ` Arend van Spriel
2017-09-07 12:34 ` Kalle Valo
2017-09-07 19:55   ` Arend van Spriel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox