[PATCH 1/2] published: CVE-2025-0927: Fix up JSON schema.

[PATCH 1/2] published: CVE-2025-0927: Fix up JSON schema.

[Siddh Raman Pant]

It doesn't match the schema of other CVEs as it was not generated
by bippy.

Fixed by hand / manually.

programFiles were added from the info in mbox.

Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com>
---
 cve/published/2025/CVE-2025-0927.json | 36 ++++++++-------------------
 1 file changed, 11 insertions(+), 25 deletions(-)

diff --git a/cve/published/2025/CVE-2025-0927.json b/cve/published/2025/CVE-2025-0927.json
index 0a61961ede76..743e70d4b100 100644
--- a/cve/published/2025/CVE-2025-0927.json
+++ b/cve/published/2025/CVE-2025-0927.json
@@ -4,8 +4,13 @@
             "affected": [
                 {
                     "defaultStatus": "unaffected",
-                    "product": "Linux Kernel",
+                    "product": "Linux",
                     "vendor": "Linux",
+                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
+                    "programFiles": [
+                        "fs/hfs/bnode.c",
+                        "fs/hfsplus/bnode.c",
+                    ]
                     "versions": [
                         {
                             "status": "affected",
@@ -17,26 +22,10 @@
             "descriptions": [
                 {
                     "lang": "en",
-                    "supportingMedia": [
-                        {
-                            "base64": false,
-                            "type": "text/html",
-                            "value": "In the Linux kernel, the following vulnerability has been found:<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  <br>A heap overflow in the hfs and hfsplus filesystems can happen if a user mounts a manually crafted filesystem.<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  <br>At this point in time, it is not fixed in any released kernel version, this is a stop-gap report to notify that kernel.org is now the owner of this CVE id.  &nbsp; &nbsp; <br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  <br>The Linux kernel CVE team has been assigned CVE-2025-0927 as it was incorrectly created by a different CNA that really should have known better to not have done this.to this issue.<br>"
-                        }
-                    ],
-                    "value": "In the Linux kernel, the following vulnerability has been found:\n               \nA heap overflow in the hfs and hfsplus filesystems can happen if a user mounts a manually crafted filesystem.\n               \nAt this point in time, it is not fixed in any released kernel version, this is a stop-gap report to notify that kernel.org is now the owner of this CVE id.      \n               \nThe Linux kernel CVE team has been assigned CVE-2025-0927 as it was incorrectly created by a different CNA that really should have known better to not have done this.to this issue."
-                }
-            ],
-            "problemTypes": [
-                {
-                    "descriptions": [
-                        {
-                            "description": "heap overflow in the hfs and hfsplus filesystems with manually crafted filesystem",
-                            "lang": "en"
-                        }
-                    ]
+                    "value": "In the Linux kernel, the following vulnerability has been found:\n\nA heap overflow in the hfs and hfsplus filesystems can happen if a user\nmounts a manually crafted filesystem.\n\nAt this point in time, it is not fixed in any released kernel version,\nthis is a stop-gap report to notify that kernel.org is now the owner of\nthis CVE id.\n\nThe Linux kernel CVE team has been assigned CVE-2025-0927 as it was\nincorrectly created by a different CNA that really should have known\nbetter to not have done this to this issue."
                 }
             ],
+            "title": "heap overflow in the hfs and hfsplus filesystems with manually crafted filesystem",
             "providerMetadata": {
                 "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
             },
@@ -45,21 +34,18 @@
                     "url": "https://www.kernel.org/"
                 }
             ],
-            "source": {
-                "discovery": "UNKNOWN"
-            },
             "x_generator": {
-                "engine": "Vulnogram 0.2.0"
+                "engine": "Human fixing output of Vulnogram 0.2.0 for Linux"
             }
         }
     },
     "cveMetadata": {
         "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
-        "cveId": "CVE-2025-0927",
+        "cveID": "CVE-2025-0927",
         "requesterUserId": "gregkh@kernel.org",
         "serial": 1,
         "state": "PUBLISHED"
     },
     "dataType": "CVE_RECORD",
-    "dataVersion": "5.1"
+    "dataVersion": "5.0"
 }
-- 
2.47.2

[PATCH 2/2] published: CVE-2025-0927: Rearrange fields in JSON.

[Siddh Raman Pant]

Now that we manually fixed the values, let's rearrange the fields so
that it looks like other CVE JSONs.

The order doesn't matter, but it's nice to have it look the same way.

Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com>
---
 cve/published/2025/CVE-2025-0927.json | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/cve/published/2025/CVE-2025-0927.json b/cve/published/2025/CVE-2025-0927.json
index 743e70d4b100..fcd9fb51e620 100644
--- a/cve/published/2025/CVE-2025-0927.json
+++ b/cve/published/2025/CVE-2025-0927.json
@@ -1,11 +1,20 @@
 {
     "containers": {
         "cna": {
+            "providerMetadata": {
+                "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
+            },
+            "descriptions": [
+                {
+                    "lang": "en",
+                    "value": "In the Linux kernel, the following vulnerability has been found:\n\nA heap overflow in the hfs and hfsplus filesystems can happen if a user\nmounts a manually crafted filesystem.\n\nAt this point in time, it is not fixed in any released kernel version,\nthis is a stop-gap report to notify that kernel.org is now the owner of\nthis CVE id.\n\nThe Linux kernel CVE team has been assigned CVE-2025-0927 as it was\nincorrectly created by a different CNA that really should have known\nbetter to not have done this to this issue."
+                }
+            ],
             "affected": [
                 {
-                    "defaultStatus": "unaffected",
                     "product": "Linux",
                     "vendor": "Linux",
+                    "defaultStatus": "unaffected",
                     "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                     "programFiles": [
                         "fs/hfs/bnode.c",
@@ -19,21 +28,12 @@
                     ]
                 }
             ],
-            "descriptions": [
-                {
-                    "lang": "en",
-                    "value": "In the Linux kernel, the following vulnerability has been found:\n\nA heap overflow in the hfs and hfsplus filesystems can happen if a user\nmounts a manually crafted filesystem.\n\nAt this point in time, it is not fixed in any released kernel version,\nthis is a stop-gap report to notify that kernel.org is now the owner of\nthis CVE id.\n\nThe Linux kernel CVE team has been assigned CVE-2025-0927 as it was\nincorrectly created by a different CNA that really should have known\nbetter to not have done this to this issue."
-                }
-            ],
-            "title": "heap overflow in the hfs and hfsplus filesystems with manually crafted filesystem",
-            "providerMetadata": {
-                "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
-            },
             "references": [
                 {
                     "url": "https://www.kernel.org/"
                 }
             ],
+            "title": "heap overflow in the hfs and hfsplus filesystems with manually crafted filesystem",
             "x_generator": {
                 "engine": "Human fixing output of Vulnogram 0.2.0 for Linux"
             }
-- 
2.47.2

Re: [PATCH 1/2] published: CVE-2025-0927: Fix up JSON schema.

[Greg Kroah-Hartman]

On Wed, Apr 02, 2025 at 12:21:52PM +0530, Siddh Raman Pant wrote:
> It doesn't match the schema of other CVEs as it was not generated
> by bippy.

It was created by vulnogram for obvious reasons :(

Also, please cc: cve@kernel.org for stuff like this.

> Fixed by hand / manually.
> 
> programFiles were added from the info in mbox.

So this did two different things?  Why does the layout matter here?
Eventually it will be created properly when someone gets the fix
upstream, I'm waiting for Canonical to do it as they are responsible for
fixing this mess at the moment, but don't seem to be responding to my
emails anymore...

thanks,

greg k-h

Re: [PATCH 2/2] published: CVE-2025-0927: Rearrange fields in JSON.

[Greg Kroah-Hartman]

On Wed, Apr 02, 2025 at 12:21:53PM +0530, Siddh Raman Pant wrote:
> Now that we manually fixed the values, let's rearrange the fields so
> that it looks like other CVE JSONs.
> 
> The order doesn't matter, but it's nice to have it look the same way.

Again, this was created by vulnogram so let's leave it as-is unless
there's a good reason to change it at this time.

thanks,

greg k-h

Re: [PATCH 1/2] published: CVE-2025-0927: Fix up JSON schema.

[Greg Kroah-Hartman]

On Wed, Apr 02, 2025 at 12:21:52PM +0530, Siddh Raman Pant wrote:
> It doesn't match the schema of other CVEs as it was not generated
> by bippy.
> 
> Fixed by hand / manually.
> 
> programFiles were added from the info in mbox.
> 
> Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com>
> ---
>  cve/published/2025/CVE-2025-0927.json | 36 ++++++++-------------------
>  1 file changed, 11 insertions(+), 25 deletions(-)
> 
> diff --git a/cve/published/2025/CVE-2025-0927.json b/cve/published/2025/CVE-2025-0927.json
> index 0a61961ede76..743e70d4b100 100644
> --- a/cve/published/2025/CVE-2025-0927.json
> +++ b/cve/published/2025/CVE-2025-0927.json
> @@ -4,8 +4,13 @@
>              "affected": [
>                  {
>                      "defaultStatus": "unaffected",
> -                    "product": "Linux Kernel",
> +                    "product": "Linux",
>                      "vendor": "Linux",
> +                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
> +                    "programFiles": [
> +                        "fs/hfs/bnode.c",
> +                        "fs/hfsplus/bnode.c",
> +                    ]

Also, I think the files are more than just this, so this would be
incorrect to add at this point in time.

thanks,

greg k-h

Re: [PATCH 1/2] published: CVE-2025-0927: Fix up JSON schema.

[Siddh Raman Pant]

[-- Attachment #1: Type: text/plain, Size: 1035 bytes --]

On Wed, Apr 02 2025 at 12:36:20 +0530, Greg Kroah-Hartman wrote:
> On Wed, Apr 02, 2025 at 12:21:52PM +0530, Siddh Raman Pant wrote:
> > It doesn't match the schema of other CVEs as it was not generated
> > by bippy.
> 
> It was created by vulnogram for obvious reasons :(
> 
> Also, please cc: cve@kernel.org for stuff like this.

Okay, noted.

> 
> > Fixed by hand / manually.
> > 
> > programFiles were added from the info in mbox.
> 
> So this did two different things?  Why does the layout matter here?
> Eventually it will be created properly when someone gets the fix
> upstream, I'm waiting for Canonical to do it as they are responsible for
> fixing this mess at the moment, but don't seem to be responding to my
> emails anymore...

Apparently, they fixed it in February and backported it:

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?h=Ubuntu-6.8.0-54.56&id=09ad3b1e99befe042ae5219e4020eb54411d98ef

https://ubuntu.com/security/CVE-2025-0927

Thanks,
Siddh

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 1/2] published: CVE-2025-0927: Fix up JSON schema.

[gregkh]

On Wed, Apr 02, 2025 at 07:16:33AM +0000, Siddh Raman Pant wrote:
> On Wed, Apr 02 2025 at 12:36:20 +0530, Greg Kroah-Hartman wrote:
> > On Wed, Apr 02, 2025 at 12:21:52PM +0530, Siddh Raman Pant wrote:
> > > It doesn't match the schema of other CVEs as it was not generated
> > > by bippy.
> > 
> > It was created by vulnogram for obvious reasons :(
> > 
> > Also, please cc: cve@kernel.org for stuff like this.
> 
> Okay, noted.
> 
> > 
> > > Fixed by hand / manually.
> > > 
> > > programFiles were added from the info in mbox.
> > 
> > So this did two different things?  Why does the layout matter here?
> > Eventually it will be created properly when someone gets the fix
> > upstream, I'm waiting for Canonical to do it as they are responsible for
> > fixing this mess at the moment, but don't seem to be responding to my
> > emails anymore...
> 
> Apparently, they fixed it in February and backported it:
> 
> https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?h=Ubuntu-6.8.0-54.56&id=09ad3b1e99befe042ae5219e4020eb54411d98ef
> 
> https://ubuntu.com/security/CVE-2025-0927

Yes, they did that without telling anyone, and assigned a CVE for it
which they are not allowed to do at all, which is why I had to
hand-create this one when it was transferred to kernel.org.  They should
be working to get that change upstream properly, but again, they seem to
be ignoring us totally at the moment :(

greg k-h