Missing critical patches of several high-risk bugs

Seth Arnold seth.arnold at canonical.com
Sat Jun 12 00:35:58 UTC 2021


On Thu, May 13, 2021 at 10:22:05PM -0700, syzscope sys wrote:
> I just found out that Ubuntu is on the CVE CNA list.
> Do you think it's possible that Ubuntu could assign the CVEs for those
> issues directly instead of asking Google? Once the CVE is assigned, it
> should also not only benefit Ubuntu but also other potentially affected
> kernels.

Yes, Ubuntu is a CNA -- it's one of my roles. :)

I suggested using one of Google's CNAs for a few reasons:

- Google has vastly more resources than we do. Doing a decent job of
  assigning CVEs takes time and effort, and we're already trying to do
  too much with too few resources. Taking on the essentially unbounded
  amount of work of "assign CVEs for all syzkaller findings" is simply
  speaking not a commitment that I can make.

- Google's syzkaller and infrastructure is already doing the work to find
  and publicise the issues; it's quite common for vulnerability
  discoverers to use their own internal CNA resources for this.

I know Canonical, and Ubuntu users, would be better off if someone
assigned CVEs to these findings. It's just not something I can commit to
doing because of the scale of work involved.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20210612/57e3ef3e/attachment.sig>


More information about the kernel-team mailing list