Missing critical patches of several high-risk bugs

Seth Arnold seth.arnold at canonical.com
Wed May 12 01:57:21 UTC 2021


On Fri, May 07, 2021 at 05:47:51PM -0700, SyzScope wrote:
> This is SyzScope, a research project that aims to reveal high-risk
> primitives from a low-risk bug.

Hello, this is pretty cool stuff. Continuing on 'executing' beyond the
point when ASAN has given up has given some pretty cool results.

I think the best way to get the most benefit out of this work is to
prioritize requesting CVEs for these issues with the Google CNA. Having
these additional details clearly visible to everybody using the CVE
infrastructure would benefit not only Ubuntu but also all our friends
in the other distributions.

There's two Google CNAs registered with the CVE project:
https://cve.mitre.org/cve/request_id.html
android-cna-team at google.com
security at google.com

I'll be honest, I don't know which CNA would be better; you may need to
discuss the project with both in order to figure out how to best handle
the work.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20210512/e8868911/attachment.sig>


More information about the kernel-team mailing list