Re: CVE-2018-1130: Linux kernel: dccp: a null pointer dereference in net/dccp/output.c:dccp_write_xmit

[Andrey Konovalov <andreyknvl () gmail com>]

On Fri, May 25, 2018 at 3:49 PM, Kurt Seifried <kseifried () redhat com> wrote:
> On Fri, May 25, 2018 at 4:48 AM, Andrey Konovalov <andreyknvl () gmail com>
> wrote:
> > Hi Kurt,
> >
> > Perhaps I should've been more clear. I wasn't asking "what qualifies
> > for a CVE?", but rather "There are a 100 bugs that qualify for CVEs,
> > how do single out 10 of them to actually request CVEs for?".
>
> So if a security vulnerability qualifies for CVE INCLUSION (see
> https://cve.mitre.org/cve/editorial_policies/counting_rules.html) the next
> step is to SPLIT and MERGE the vulns as needed. Esentially what we want is
> to end up with buckets where each bucket of vulnerability(s) is:
>
> 1) unique to a specific code base
> 2) unique to a specific version(s)(*)
> 3) the same root cause (this is where you have to do homework)
>
> * Note: the version thing, obviously the affected versions/commits for
> these will be different in the Linux kernel and so by this rule, strictly
> speaking each vuln would get it's own CVE, but in general if they all
> affect the same broad version of the Linux Kernel they can be bucketed
> together.
>
> So assuming the homework is done of properly identifying and classifying
> these security vulnerabilities then you can simply request CVE's for all of
> them, the worst ones, or whatever you want. I would of course prefer that
> all of them be identified/tracked but that's just me.

Nevermind, you're missing the point of what I'm asking :)

> > In particular, the 100 bugs that I'm referring to are the bugs
> > reported by syzbot (perhaps there's even more:
> > https://syzkaller.appspot.com/?fixed=upstream) and the 10 bugs (or so)
> > are the ones Vladis announced on oss-security over the last few
> > months. I'm just curious how did he choose those 10 bugs out of that
> > 100+.
>
> You'd have to ask him.

That's exactly what I did.