Re: [PATCH v3] Documentation: Document the Linux Kernel CVE process
From: Jiri Kosina
Date: Wed Feb 14 2024 - 09:46:19 EST
On Wed, 14 Feb 2024, Mark Brown wrote:
> Not addressing your point in general but the speaker volume limiting is
> security relevant, that change prevents physical damage to the system.
> There's an argument for many headphone volume related fixes too since
> excessively large volumes can cause substantial distress and potential
> injury to users (I can't remember if that fix would be relevant to that
> issue).
Thanks, I guess you are actually supporting my point, and that is -- there
is no consensus whatsoever of what assigning a CVE actually means, at all.
To me -- physical damage to the system, fair enough, that might really
easily be security relevant.
Something being too loud, causing distress ... that's really a grey zone
(to put it mildly) for me. How about e.g. a bug in GPU driver, leading to
a flickering screen? Many people are very sensitive to that (both
physically and mentally) for various reasons.
Bug worth fixing? Absolutely, as soon as possible. Security-relevant? Not
in my book.
To me, kernel is in no way special, in this respect, actually. With each
and every coding error in software of your choice, given anough fantasy,
you'll come up with a scenario where this will cause some real issues to
some living human.
That's not what CVE is about at all, at least in my understaing.
--
Jiri Kosina
SUSE Labs