[Documentation] Retrieve CVEs for systemd own bugs and log them on git-log

[MikhailKasimov]

Submission type

• Request for enhancement (RFE)

systemd version the issue has been seen with

ANY

Hello!

Don't know if systemd developers track the seclists.org/oss-sec/ site, but here is the idea of retrieving CVEs for systemd own bugs and logging them on to its git log. See: http://seclists.org/oss-sec/2017/q1/175 :

We would like to see that systemd upstream retrieves CVE's themself for their own bugs,
even if its believed that its just a local DoS.
This would make distributors life much easier when we read the git logs to spot potential issues.
The systemd git log is really huge, with lots of commits each week ("new services as a service").

Doable?

[martinpitt]

We can't retroactively put the CVE numbers into the commit logs, but we could tag a comit that fixes an issue with CVE-*. I believe there is also another git concept where you can add annotations to past commits, which we had used in the past to mark bug fix commits which are useful for backporting. It's apparently not "annotations" (git-annotate is something else), but something like that, can someone remember?

[mbiebl]

It was git notes iirc

[poettering]

i don't see how the quoted text from that security mailing list would request us to store CVE information in log messages. They want us to request CVE assignments directly from them, when we encounter bugs. I am not sure I buy enough into the security circus to do that though for any minor issue... It's also particularly hard if the impact of a bug isn't obvious. After all, how should we report CVEs for bugs that we (mis-)judge as (ir-)relevant? I also doubt the usefulness of CVEs is helped if we'd swamp them with irrelevant noise...

(also, does github even show git notes?)

Hence, I doubt the security community requests what is asked for in this issue. And I am pretty sure it's not our job as developers to file CVEs for any bug – regardless how small – we encounter. CVEs are after all not our currency, but the security community's...

Anyway, closing this here. I hope the above makes some sense.

[andreasstieger]

I think what @sebastian-suse wanted to express in his post to the oss-security mailing list was the following:

The original issue was committed as a fix for a local DoS. Requesting and assigning CVEs for this type of vector is perfectly feasible. If so, someone may have pointed out that this was in fact a local privilege escalation issue much earlier.

I do not think that concurrency is required here. If the developers consider an issue minor, a section in the release notes would help. In any case the keyword "local DoS" ought to trigger something in the mind of the capable developer or release manager, considering the "availability" protection target.

This may not be your particular project focus, as you mentioned CVEs as a currency rather than an method for organizing things. The security teams of distributions and CNAs will gladly help with this.

[martinpitt]

The original issue was committed as a fix for a local DoS. Requesting and assigning CVEs for this type of vector is perfectly feasible

I disagree -- a local DoS is thoroughly uninteresting at least in Linux; there are numerous legitimate and much simpler ways to DoS your machine, issuing CVEs and security updates for things like this is just busywork and will distract attention from the actually important issues.

[andreasstieger]

Distribution security teams are perfectly happy to score and issue collective updates covering minor issues, or not issuing them at all. Or, as in this case, let you know if we think that the severity may be different.

[evverx]

@andreasstieger , not sure I understand. Distribution security teams don't really read the systemd git log (for example, f134289, cf447cb) because

The systemd git log is really huge, with lots of commits each week

Right?

[andreasstieger]

At this time, the systemd commit log is not something (my team) monitors.

As for the "busywork" argument, CVE-2016-10156 is an example of where this can go wrong, actually be a local root exploit.

I am not sure where to take it from here. The request remains to have some kind of policy of communicating potentially security relevant changes to downstream stakeholders, which can then do what they want or must do with it. Also do not under-estimate the back-flow of patches, corrections and testing.

[evverx]

As for the "busywork" argument, CVE-2016-10156 is an example of where this can go wrong, actually be a local root exploit

Well, the commit message doesn't contain the real impact. But I don't really understand how can security-minded reader miss basic: fix touch() creating files with 07777 mode

I thought that security people read/review systemd. I was wrong.

Indeed, we need

some kind of policy of communicating potentially security relevant changes to downstream stakeholders

but I'm not sure what to do about it

[MikhailKasimov]

how can security-minded reader miss basic: fix touch() creating files with 07777 mode

To mark such things with big bold red letters [SECURITY-ISSUE]?

[stealth]

This is my private address. Dont use it for work related stuff. If you want to contact me via github, use the "sebastian-suse" account there.

…

------[ you wrote ]------ | I think what @stealth wanted to express in his post to the oss-security mailing list was the following: | | The original issue was committed as a fix for a local DoS. Requesting and assigning CVEs for this type of vector is perfectly feasible. If so, someone may have pointed out that this was in fact a local privilege escalation issue much earlier. | | I do not think that concurrency is required here. If the developers consider an issue minor, a section in the release notes would help. In any case the keyword "local DoS" ought to trigger something in the mind of the capable developer or release manager, considering the "availability" protection target. | | This may not be your particular project focus, as you mentioned CVEs as a currency rather than an method for organizing things. The security teams of distributions and CNAs will gladly help with this. | | -- | You are receiving this because you were mentioned. | Reply to this email directly or view it on GitHub: | #5144 (comment) `-------------------------------------------------

-- ~ ~ perl <-> $_='print"\$_=\47$_\47;eval"';eval ~ bash <-> $(curl stealth.openwall.net/null/nuts.txt)