working as part of the Linux kernel security team since it was created in 2005. Nothing in here reflects the opinion of the Linux Foundation or any other Linux kernel developer. But hopefully I can convince them to agree with me. Disclaimer
weaknesses in product that can be exploited, causing a negative impact to confidentiality, integrity, or availability; a set of conditions or behaviors that allows the violation of an explicit or implicit security policy.” – cve.org
to be updated before public announcements ›CVEs only reference specific fix, not if any previous changes needed. ›CVE fixes are NOT tested independently
›Votes if is, or is not, a vulnerability ›Each team member uses different methods ›Commits that are agreed get assigned ›Commits that are disagreed are discussed ›Review happens in public
we want to, it’s pretty important, but so far we’ve successfully managed to ignore it. It’s not going to be easy. By definition, the people who got us here can’t fix this problem. They would have long ago if they could. Many of the people involved in the vulnerability space, CVE, NVD – they have been doing this work for decades. A bunch don’t think there’s anything wrong. If you talk to any vulnerability analyst, developer, or operations person actually working with CVE IDs, they’re miserable. They get their work done in spite of CVE IDs, not because of them.” – Kurt Seifried & Josh Bressers https://opensourcesecurity.io/2024/06/03/why-are-vulnerabilities-out-of-control-in-2024/
affected ›Every CVE says what versions are affected ›Very few CVEs are applicable for you! ›json format https://git.kernel.org/pub/scm/linux/security/vulns.git/ https://github.com/CVEProject/cvelistV5.git
to either update to latest stables and do all the work needed to get it running in production, or one must triage every fix to find only those that need to be applied based on one's threat model. Either way is likely a lot of work, but one must figure out which is the least amount of work, and then do it. There isn't another path to running a kernel with the flaws fixed.” – Kees Cook
or incorrect“Fixes:” tags ›Multiple “Fixes:” tags across releases ›Fixes going backwards in time ›Vulnerable only in branches ›No fixes despite the tag saying so ›...
Usage: ./bippy [OPTIONS] Create a JSON and/or MBOX file to report a CVE based on a specific Linux kernel git sha value. Arguments: -c, --cve=CVE_NUMBER The full CVE number to assign -s, --sha=GIT_SHA The kernel git sha1 to assign the CVE to --vulnerable=GIT_SHA The kernel git sha1 that this issue became vulnerable at. (optional) -j, --json=JSON_FILENAME Output a JSON report to submit to CVE to the specified filename -m, --mbox=MBOX_FILENAME Output a mbox file to submit to the CVE announce mailing list --diff=DIFF_FILENAME File containing a diff for the changelog text to be applied. (optional) --reference=REF_FILENAME File containing a list of url references to add to the json record. (optional) -u, --user=EMAIL Email of user creating the record. -n, --name=NAME Name of the user creating the record. -h, --help This information -v, --verbose Show debugging information to stdout Note, CVE_NUMBER and GIT_SHA are required, as well as at least one of JSON_FILENAME and/or MBOX_FILENAME. If EMAIL or NAME is not specified, they will be taken from 'git config' user settings.
$ strak v6.10.11 v6.10.11 is vulnerable to CVE-2024-41013 v6.10.11 is vulnerable to CVE-2024-41014 v6.10.11 is vulnerable to CVE-2024-41016 $ strak --fixed 6.6.49 CVE-2024-43891 is fixed in 6.6.49 with commit 4ed03758ddf0 CVE-2024-46673 is fixed in 6.6.49 with commit 8a3995a3ffec CVE-2024-46674 is fixed in 6.6.49 with commit e1e5e8ea2731 CVE-2024-46675 is fixed in 6.6.49 with commit 7bb11a75dd4d CVE-2024-46676 is fixed in 6.6.49 with commit 56ad559cf6d8 CVE-2024-46677 is fixed in 6.6.49 with commit 28c67f0f84f8 CVE-2024-46678 is fixed in 6.6.49 with commit 6b598069164a CVE-2024-46679 is fixed in 6.6.49 with commit 94ab317024ba CVE-2024-46680 is fixed in 6.6.49 with commit 662a55986b88 CVE-2024-46685 is fixed in 6.6.49 with commit 4ed45fe99ec9 CVE-2024-46686 is fixed in 6.6.49 with commit a01859dd6aeb CVE-2024-46687 is fixed in 6.6.49 with commit 51722b99f41f
to either update to latest stables and do all the work needed to get it running in production, or one must triage every fix to find only those that need to be applied based on one's threat model. Either way is likely a lot of work, but one must figure out which is the least amount of work, and then do it. There isn't another path to running a kernel with the flaws fixed.” – Kees Cook
possible kernels › CVEs are imperfect mapping of flaws › Before being a CNA many flaws were not assigned CVEs, large scale false negative rate › After being a CNA some CVEs are assigned for non- flaws, small scale false positive rate › So being a CNA has resulted in large drop in false negatives with small bump of false positives, net benefit for identifying fixed flaws Thanks to Kees for this list
ennael
kumaiu
ymatsuwitter
line_developers_tw
oracle4engineer
harukasakihara
usanchuu
tsukuboshi
sonoda_mj
hiroakis
nagatsu
8maki
techseoconnect
gurzu
swwweet
aki_iinuma
oripsolob
greggifford
nonsquared
addyosmani
mayatellez
varn
pauljervisheath
![CVEs are alive, but do not panic! Greg Kroah-Hartman [email protected]](https://files.speakerdeck.com/presentations/6f761081432e48999902ccf11cbc2633/slide_0.jpg){kind=link}
![Linux CVE resources ›Contact us: [email protected] ›Process documentation: https://docs.kernel.org/process/cve.html ›Public](https://files.speakerdeck.com/presentations/6f761081432e48999902ccf11cbc2633/slide_5.jpg){kind=link}
![CVEs are alive, but do not panic! Greg Kroah-Hartman [email protected]](https://files.speakerdeck.com/presentations/6f761081432e48999902ccf11cbc2633/slide_35.jpg){kind=link}
