From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 268FD3849ADD for ; Fri, 3 May 2024 12:57:36 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 268FD3849ADD Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 268FD3849ADD Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1714741057; cv=none; b=PQ+tNBrTB5mDrHAHkprVgEX2vrMsycHgCFJtBQjmRBwfhmt3YQ4ai11uCLT17K2xe4m4jdQhhISF/VpE7EzrLyBGvutNEcGJ0NwQP2cC/zu9MYEuWuk5gxJCOss6Tu/IevPGbVRPsGxOWlrLhYis6ju7kWuG+tbyanifp/2795s= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1714741057; c=relaxed/simple; bh=EYrkk+XR5uiKL8SxK/ZQWOfFj6eugf/uDDpR9WksjJ0=; h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From; b=H7BP4tVXz92qJJUm9ST9BiQJEWKU4PFtzr13dRHb15jU8+5ra8Gtf40b1GJsLKavbAYcrGIuce/j7EOXPfJPUu3XMEs6qs9y1+fDp/fI9xfkD01xEWtzyKjY37uyE5756pYGWmWwGDsDO2XGnUwl5MspI7FpM2MFBfz54bJHugU= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1714741055; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=G/bikfNSwYownOqF53SZQyvpKTcXcTQVEdsSgAnxzJU=; b=N5A9W8AgyAwSsMQcaAymG2gzX2zkCyPMIrmWH/aUjBrV4nNuFrGGGTK74hx5XoeL7Fefzi sJ5YnPJBRzJZoTdrCcZIrOmrRK7FnXmgHuu9KKoFUTSojOqGgqJDqX4ET38/94CDuPzSyr glI8bGiHfyroDyZ47yMB1Yo/z4FzsMY= Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com [209.85.219.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-546-l6x-M7inO9W1lazvl_eirw-1; Fri, 03 May 2024 08:57:34 -0400 X-MC-Unique: l6x-M7inO9W1lazvl_eirw-1 Received: by mail-qv1-f70.google.com with SMTP id 6a1803df08f44-6a0ddfee0aaso53361386d6.2 for ; Fri, 03 May 2024 05:57:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714741054; x=1715345854; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=G/bikfNSwYownOqF53SZQyvpKTcXcTQVEdsSgAnxzJU=; b=T34t+GtZIbvekgYEfiNah+wTGh8v+TMEsP75AcOxzjBBaN/dMR3iQdHhQIjAzr0zQ9 ewVg8IWsc9Yp+GyKjQgtX+LrWxZQdGMSqaQ8qOnBcBI358xjiOkoQA3QqPXLZ0T/Mu5y pfMy7vvFZ8L1Y6e7BZm2mWoZ29YDAhHr8C247obhMji5O3oPFZVNZnXX3k3PKQbls4Zp aBTe45pZF4zE10t/17+yrweDcwq0EvllWtAYZ1A2hlqwrF1cq3MBEN1uQivRHbp42rQy f98ikMYigL08+gJVz3IXCuN/28vDEqRaMqIV0BDVhZ0XVGG19WFdDs86fSlQ0mBZbuwL d/+g== X-Forwarded-Encrypted: i=1; AJvYcCXigZ7iVmbehAlW5zWC0AetWaBtXJMCB7Uu3vy2uTdTNxn7ksKEO0LfDpYgkm0s1ZHLwsd//S41CYs8WofMjcVzOvvwXR7mgemY X-Gm-Message-State: AOJu0YwcpFBPvcOZ3CrwUSxMTg5XJo9PuwAo5dtLuS+PDr4YQbef9e4A Da5Z3LwhUXXMWNhX4s+K+CYc1ZwNCvH+1XCUYoomDTEcL0Z7WZB+arNitxjvN7UYczVuvx6Eyg6 ePt1u261Tjr/UmFWXWaMO8k/ohLPjnJc4Ubwohfb6P/+JtxAb6iyIMpx0sw== X-Received: by 2002:ad4:5aa4:0:b0:696:a982:92a8 with SMTP id u4-20020ad45aa4000000b00696a98292a8mr2867842qvg.3.1714741053684; Fri, 03 May 2024 05:57:33 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHY7Gbws+FZBok2dyxgHrC2HCTte7+566RuMlVSvdFi9FCiRyzfQ3tynArhQaA3Ce4c7AX6pA== X-Received: by 2002:ad4:5aa4:0:b0:696:a982:92a8 with SMTP id u4-20020ad45aa4000000b00696a98292a8mr2867829qvg.3.1714741053313; Fri, 03 May 2024 05:57:33 -0700 (PDT) Received: from [192.168.0.182] ([142.198.113.116]) by smtp.gmail.com with ESMTPSA id b10-20020a056214114a00b006a0fc572f21sm1186190qvt.127.2024.05.03.05.57.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 03 May 2024 05:57:32 -0700 (PDT) Message-ID: <7b7cb8d0-c6d1-484a-aba5-a9c53798dc5c@redhat.com> Date: Fri, 3 May 2024 08:57:24 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Content of glibc advisories vs. CVE JSON v5 and CNA rules? To: Carlos O'Donell , libc-alpha , Adhemerval Zanella References: From: Siddhesh Poyarekar In-Reply-To: X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-15.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2024-05-02 17:40, Carlos O'Donell wrote: > I want to make it as easy as a cut-and-paste to complete the work of > publishing the CVE data when the advisory text is complete. > > When the glibc security team publishes an advisory as part of CNA process > we must comply with the CNA Rules and our goal is to use CVE JSONv5 format > uploads. > > The JSONv5 format has a title and description field that must be provided. > > The most interesting part is that the CVE description has some explicit > requirements in [1] that mean we would adopt similar requirements for > the text of our own advisories. > > My opinion is as follows: > > - The first line of our advisories should be the CVE title. > - The descriptive text of the advisory should be the CVE description. > - Note the rules say "8.2.6 MAY contain information not listed here." > so we can provide whatever else we want. The CVE title is optional. However we do need a title for our advisories (i.e. the first line of the advisory file), so I'm fine with us making it mandatory. The CVE description (for the Mitre database) is recommended to be a single descriptive passage (preferrably a sentence) that encompasses all of the necessary information, i.e. nature, version range affected, module and impact of the flaw. We could make this the first passage of our advisory file and then choose to augment our advisories in following passages when we can. That is something like this: Buffer overflow in posix_foo may result in arbitrary code execution The function posix_foo in the GNU C Library versions 2.32 to 2.39 has a buffer overflow which may be exploited by an attacker to achieve arbitrary code execution. The function posix_foo takes foo_buf as an input but it fails to validate the buffer against some_size. An attacker may pass a small enough buffer as foo_buf and cause the function to overflow into sensitive_struct, allowing it to control the jump destination from the funcptr function pointer. This was fixed with... Does that align with what you're suggesting? Thanks, Sid