Friday, 11 June 2021

Re: Missing critical patches of several high-risk bugs

On Thu, May 13, 2021 at 10:22:05PM -0700, syzscope sys wrote:
> I just found out that Ubuntu is on the CVE CNA list.
> Do you think it's possible that Ubuntu could assign the CVEs for those
> issues directly instead of asking Google? Once the CVE is assigned, it
> should also not only benefit Ubuntu but also other potentially affected
> kernels.

Yes, Ubuntu is a CNA -- it's one of my roles. :)

I suggested using one of Google's CNAs for a few reasons:

- Google has vastly more resources than we do. Doing a decent job of
assigning CVEs takes time and effort, and we're already trying to do
too much with too few resources. Taking on the essentially unbounded
amount of work of "assign CVEs for all syzkaller findings" is simply
speaking not a commitment that I can make.

- Google's syzkaller and infrastructure is already doing the work to find
and publicise the issues; it's quite common for vulnerability
discoverers to use their own internal CNA resources for this.

I know Canonical, and Ubuntu users, would be better off if someone
assigned CVEs to these findings. It's just not something I can commit to
doing because of the scale of work involved.