Missing critical patches of several high-risk bugs

syzscope sys syzscope at gmail.com
Fri May 14 05:22:05 UTC 2021


Hi Seth,
I just found out that Ubuntu is on the CVE CNA list.
Do you think it's possible that Ubuntu could assign the CVEs for those
issues directly instead of asking Google? Once the CVE is assigned, it
should also not only benefit Ubuntu but also other potentially affected
kernels.

On Tue, May 11, 2021 at 6:57 PM Seth Arnold <seth.arnold at canonical.com>
wrote:

> On Fri, May 07, 2021 at 05:47:51PM -0700, SyzScope wrote:
> > This is SyzScope, a research project that aims to reveal high-risk
> > primitives from a low-risk bug.
>
> Hello, this is pretty cool stuff. Continuing on 'executing' beyond the
> point when ASAN has given up has given some pretty cool results.
>
> I think the best way to get the most benefit out of this work is to
> prioritize requesting CVEs for these issues with the Google CNA. Having
> these additional details clearly visible to everybody using the CVE
> infrastructure would benefit not only Ubuntu but also all our friends
> in the other distributions.
>
> There's two Google CNAs registered with the CVE project:
> https://cve.mitre.org/cve/request_id.html
> android-cna-team at google.com
> security at google.com
>
> I'll be honest, I don't know which CNA would be better; you may need to
> discuss the project with both in order to figure out how to best handle
> the work.
>
> Thanks
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20210513/e0060082/attachment.html>


More information about the ubuntu-devel mailing list