To recap:
- the CVE description comes from was upstream commit bed9e27baf52
- neither the CVE mitigation section nor the mentioned kernel releases
fix the bug mentioned in the upstream commit, because the mitigation
section also includes commits that _revert_ commit bed9e27baf52
- this second revert is not mentioned anywhere, so the CVE description
is at best misleading; or perhaps more accurately described as
"completely f***ed up".
I'm sure it's just a bug in the scripts, but it's worrisome that you
don't acknowledge this.
So now you're asking us to drop this additional work on them by
reviewing CVE requests?
It doesn't have to be mandatory. But for people that _do_ want to do
the work, they might as well do it before the CVE is publicly announced,
rather than after. At least give us the possibility of doing it without
bureaucracy.
How were you aware until a few weeks ago where CVE assignments were
handled by different entities?
They more often than not CC'd me before the patch was committed and
provided me the CVE id, and I was able to provide input or dispute the
assignment beforehand. This is exactly what I'm suggesting that the
kernel should do.
So yes, I disagree with your "all of them" statement. For that matter,
I'd argue that the number of users who need massaged messages are the
vast minority.
They don't need massaged messages. They need correct and complete ones.
You're completely removing the human part of the work and expecting
the result to be of comparable quality. That's not going to happen, and
this CVE is an example of this.
2) how are you going to handle patch dependencies? Are they going to
be rolled into a single entry or split into multiple announcements?
Likely multiple different entries.
So, looking at
https://git.kernel.org/pub/scm/linux/security/vulns.git/tree/cve/review/6.7.proposed
I see
aeb686a98a9e usb: gadget: uvc: Allocate uvc_requests one at a time
da324ffce34c usb: gadget: uvc: Fix use-after-free for inflight usb_requests
What vulnerability is the first one fixing? Looking at your GSD
entries, will there even be CVEs purporting that renaming a variable
from "foo" to "bar" is fixing a vulnerability?
3) are the scripts used to generate the CVEs public? Can fixes to the
scripts be developed in the open?
Yup - https://git.kernel.org/pub/scm/linux/security/vulns.git/ .
What about the detection part?
I like to assume the best of people, so I'll assume that this is just
naïveté rather than an intentional attempt at burning everything down.
But please, let's take a step back and understand what the proposed
workflow fixes and breaks for everyone (especially maintainers and
distros). Then make a proper solution. In the meanwhile you can keep
sending test announcements to linux-cve-announce, and those can be used
to debug the process and the scripts.
In fact it would be nice if bippy included at the end the command line
that was used, to aid the reproduction and fixing of bugs.