Re: [Qemu-devel] [web PATCH 0/4] Add web section reporting information about CVEs in QEMU

[Paolo Bonzini <pbonzini@redhat.com>]

On 18/10/2018 16:51, Daniel P. Berrangé wrote:
> 
> After adding the new $YEAR/$ID.xml file, 'make' will build the
> corresponding indexes and HTML/TXT renderings. Ideally the machine which
> is hosting the QEMU website would run 'make' after pulling new
> commits. In this series, however, I have just commited the rendered
> content to git.

"git push" is already running Jekyll, which has a templating mechanism
similar to the one used for blog posts
(https://jekyllrb.com/docs/collections/).  Basically one security notice
would be a file in a _secnotices directory, with the metadata in a YAML
preamble like this:

---
title: Speculative store bypass
id: 2018-001
date: 2018-05-21
reported: 2018-03-12
fixed: 2018-06-26

credits:
  - reporter:
    - name: Ken Johnson (Microsoft Security Response Center)
    - name: Jann Horn (Google Project Zero)
  - patcher:
    - name: Daniel P. Berrangé
      email: berrange@redhat.com
    - name: Konrad Rzeszutek Wilk
      email: konrad.wilk@oracle.com

advisories:
  - type: CVE
    id: 2018-3639

branches:
  - master:
      state: fixed
      change:
      - d19d1f965904a533998739698020ff4ee8a103da: fixed
      - 403503b162ffc33fb64cfefdf7b880acf41772cd: fixed
      - 4f50c1673a89b07f376ce5c42d22d79a79cd466d: merged
      - a764f3f7197f4d7ad8fe8424269933de912224cb: fixed
      - e409d9a158c77c650651e8118f6c86c8dc76eba6: merged
      - 7ba1e61953f4592606e60b2e7507ff6a6faf861a: vulnerable
      tag:
      - v0.10.1: vulnerable
    ...
+---

{% contentfor description %}
An industry-wide issue was found in the way many modern microprocessor
designs have implemented speculative execution of Load & Store
instructions (a commonly used performance optimization).
+
+It relies on the presence of a precisely-defined instruction sequence
in the privileged code as well as the fact that memory read from address
to which a recent memory write has occurred may see an older value and
subsequently cause an update into the microprocessor's data cache even
for speculatively executed instructions that never actually commit (retire).
{% endcontentfor %}

{% contentfor impact %}
As a result, an unprivileged attacker could use this flaw to read
privileged memory by conducting targeted cache side-channel attacks.
{% endcontentfor %}

{% contentfor mitigation %}
None
{% endcontentfor %}


(Requires the jekyll-contentblocks plugin).

I am not a YAML fan, but I still would probably have to hide if I
suggested using XSLT to convert the XML files to YAML. :)  Still, one
question is obvious: is the XML an industry standard?  That would make
it more palatable...