[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <D06F40E5-0DBC-4FF2-BAF5-2373BDF3815C@kernel.org>
Date: Thu, 29 Feb 2024 07:08:06 -0800
From: Kees Cook <kees@...nel.org>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Michal Hocko <mhocko@...e.com>
CC: Kees Cook <keescook@...omium.org>, cve@...nel.org,
linux-kernel@...r.kernel.org
Subject: Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array
On February 29, 2024 6:18:36 AM PST, Greg Kroah-Hartman <gregkh@...uxfoundation.org> wrote:
>As part of the requirement to be a CNA, we have to announce everything
>that we think is a potential vulnerability, severity not be judged at
> [...]
>Again, none of this has anything to do with "severity", it only is an
>identifier that says "this fixes a vulnerability".
The language here can perhaps be improved for better understanding by folks since "CVE" and "vulnerability" can mean different things to different people. I would say "this fixes a weakness".
CVEs are for anything deemed a "weakness"[1]. It doesn't need to rise to the level of what many people would consider a "vulnerability". (Modern attacks traditionally chain many weaknesses together to form an exploit, some of which look harmless when examined in isolation.)
I find it helps to keep in mind the "CIA" acronym of what makes up a security weakness: "negative impact to Confidentiality, Integrity, or Availability". (Not to be confused with the US Gov intelligence org with the name acronym, ironically.)
-Kees
[1] https://nvd.nist.gov/vuln
--
Kees Cook
Powered by blists - more mailing lists