Hi Seth,
I just found out that Ubuntu is on the CVE CNA list.
Do you think it's possible that Ubuntu could assign the CVEs for those issues directly instead of asking Google? Once the CVE is assigned, it should also not only benefit Ubuntu but also other potentially affected kernels.
On Tue, May 11, 2021 at 6:57 PM Seth Arnold <seth.arnold@canonical.com> wrote:
On Fri, May 07, 2021 at 05:47:51PM -0700, SyzScope wrote:
> This is SyzScope, a research project that aims to reveal high-risk
> primitives from a low-risk bug.
Hello, this is pretty cool stuff. Continuing on 'executing' beyond the
point when ASAN has given up has given some pretty cool results.
I think the best way to get the most benefit out of this work is to
prioritize requesting CVEs for these issues with the Google CNA. Having
these additional details clearly visible to everybody using the CVE
infrastructure would benefit not only Ubuntu but also all our friends
in the other distributions.
There's two Google CNAs registered with the CVE project:
https://cve.mitre.org/cve/request_id.html
android-cna-team@google.com
security@google.com
I'll be honest, I don't know which CNA would be better; you may need to
discuss the project with both in order to figure out how to best handle
the work.
Thanks
