lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZeDAlRyp9L4L7f37@tiehlicka>
Date: Thu, 29 Feb 2024 18:36:21 +0100
From: Michal Hocko <mhocko@...e.com>
To: Kees Cook <kees@...nel.org>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Kees Cook <keescook@...omium.org>, cve@...nel.org,
	linux-kernel@...r.kernel.org
Subject: Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of
 drmem array

On Thu 29-02-24 07:08:06, Kees Cook wrote:
> 
> 
> On February 29, 2024 6:18:36 AM PST, Greg Kroah-Hartman <gregkh@...uxfoundation.org> wrote:
> >As part of the requirement to be a CNA, we have to announce everything
> >that we think is a potential vulnerability, severity not be judged at
> > [...]
> >Again, none of this has anything to do with "severity", it only is an
> >identifier that says "this fixes a vulnerability".
> 
> The language here can perhaps be improved for better understanding by
> folks since "CVE" and "vulnerability" can mean different things to
> different people. I would say "this fixes a weakness".
> 
> CVEs are for anything deemed a "weakness"[1]. It doesn't need to rise
> to the level of what many people would consider a "vulnerability".
> (Modern attacks traditionally chain many weaknesses together to form
> an exploit, some of which look harmless when examined in isolation.)
> 
> I find it helps to keep in mind the "CIA" acronym of what makes up a
> security weakness: "negative impact to Confidentiality, Integrity, or
> Availability". (Not to be confused with the US Gov intelligence org
> with the name acronym, ironically.)

Yes, this makes a lot of sense to me and I believe we are on the same
page here. We have gone in several tangents here but let me just remind
that I was objecting/wondering how much sense does it make to assign CVE
to configurations which are inherently insecure. From a user POV, does
it make me safer to have that addressed when the fundamental
configuration hole (to allow untrusted user to access said resources)
still in place. See my point or do I still fail to explain myself? It is
not about assuming usecases and whatnot.
 
> -Kees
> 
> [1] https://nvd.nist.gov/vuln

-- 
Michal Hocko
SUSE Labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ