Documentation: Document the Linux Kernel CVE process
Commit Message
The Linux kernel project now has the ability to assign CVEs to fixed
issues, so document the process and how individual developers can get a
CVE if one is not automatically assigned for their fixes.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Lee Jones <lee@kernel.org>
---
Documentation/process/cve.rst | 116 ++++++++++++++++++++++++
Documentation/process/index.rst | 1 +
Documentation/process/security-bugs.rst | 6 +-
3 files changed, 120 insertions(+), 3 deletions(-)
create mode 100644 Documentation/process/cve.rst
Comments
On Tue, Feb 13, 2024 at 07:48:12PM +0100, Greg Kroah-Hartman wrote:
> The Linux kernel project now has the ability to assign CVEs to fixed
> issues, so document the process and how individual developers can get a
> CVE if one is not automatically assigned for their fixes.
>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> Signed-off-by: Lee Jones <lee@kernel.org>
> ---
Jon, if you don't have any objections, I can just take this in my tree
for the next -rc pull request I have for Linus with other driver-core
type stuff.
thanks,
greg k-h
Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:
> On Tue, Feb 13, 2024 at 07:48:12PM +0100, Greg Kroah-Hartman wrote:
>> The Linux kernel project now has the ability to assign CVEs to fixed
>> issues, so document the process and how individual developers can get a
>> CVE if one is not automatically assigned for their fixes.
>>
>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>> Signed-off-by: Lee Jones <lee@kernel.org>
>> ---
>
> Jon, if you don't have any objections, I can just take this in my tree
> for the next -rc pull request I have for Linus with other driver-core
> type stuff.
Up to you - I probably have another 6.8 pull to do as well. Happy
either way, if you want to push it:
Acked-by: Jonathan Corbet <corbet@lwn.net>
Thanks,
jon
On 2/13/24 10:48, Greg Kroah-Hartman wrote:
> The Linux kernel project now has the ability to assign CVEs to fixed
> issues, so document the process and how individual developers can get a
> CVE if one is not automatically assigned for their fixes.
>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> Signed-off-by: Lee Jones <lee@kernel.org>
> ---
> Documentation/process/cve.rst | 116 ++++++++++++++++++++++++
> Documentation/process/index.rst | 1 +
> Documentation/process/security-bugs.rst | 6 +-
> 3 files changed, 120 insertions(+), 3 deletions(-)
> create mode 100644 Documentation/process/cve.rst
>
> diff --git a/Documentation/process/cve.rst b/Documentation/process/cve.rst
> new file mode 100644
> index 000000000000..17df5d673102
> --- /dev/null
> +++ b/Documentation/process/cve.rst
> @@ -0,0 +1,116 @@
> +CVEs
> +====
> +
> +Common Vulnerabilities and Exposure (CVE®) numbers, were developed as an
no comma ^
> +unambiguous way to identify, define, and catalog publically disclosed
publicly
> +security vulnerabilities. Over time, their usefulness has declined with
> +regards to the kernel project, and CVE numbers were very often assigned
> +in inappropriate ways and for inappropriate reasons. Because of this,
> +the kernel development community has tended to avoid them. However, the
> +combination of continuing pressure to assign CVEs and other forms of
> +security identifiers, and ongoing abuses by community members outside of
> +the kernel community has made it clear that the kernel community should
> +have control over those assignments.
> +
> +The Linux kernel developer team does have the ability to assign CVEs for
> +potential Linux kernel security issues. This assignment is independent
> +of the :doc:`normal Linux kernel security bug reporting
> +process<../process/security_bugs>`.
> +
> +A list of all assigned CVEs for the Linux kernel can be found in the
> +archives of the linux-cve mailing list, as seen on
> +https://lore.kernel.org/linux-cve-announce/. To get notice of the
> +assigned CVEs, please subscribe to that mailing list.
> +
> +Process
> +-------
> +
> +As part of the normal stable release process, kernel changes that are
> +potentially security issues are identified by the developers responsible
> +for CVE number assignments and have CVE numbers automatically assigned
> +to them. These assignments are published on the linux-cve mailing list
linux-cve-announce mailing list
> +as announcements on a frequent basis.
> +
> +Note, due to the layer at which the Linux kernel is in a system, almost
> +any bug might be exploitable to compromise the security of the kernel,
> +but the possibility of exploitation is often not evident when the bug is
> +fixed. Because of this, the CVE assignment team are overly cautious and
is
to be consistent.
> +assign CVE numbers to any bugfix that they identify. This
> +explains the seemingly large number of CVEs that are issued by the Linux
> +kernel team.
> +
> +If the CVE assignment team misses a specific fix that any user feels
> +should have a CVE assigned to it, please email them at <cve@kernel.org>
> +and the team there will work with you on it. Note, that no potential
no comma ^
> +security issues should be sent to this alias, it is ONLY for assignment
> +of CVEs for fixes that are already in released kernel trees. If you
> +feel you have found an unfixed security issue, please follow the
> +:doc:`normal Linux kernel security bug reporting
> +process<../process/security_bugs>`.
> +
> +No CVEs will be assigned for unfixed security issues in the Linux
> +kernel, assignment will only happen after a fix is available as it can
kernel;
> +be properly tracked that way by the git commit id of the original fix.
> +
> +No CVEs will be assigned for any issue found in a version of the kernel
> +that is not currently being actively supported by the Stable/LTS kernel
> +team. A list of the currently supported kernel branches can be found at
> +https://kernel.org/category/releases.html
> +
> +Disputes of assigned CVEs
> +-------------------------
> +
> +The authority to dispute or modify an assigned CVE for a specific kernel
> +change lies solely with the maintainers of the relevant subsystem
> +affected. This principle ensures a high degree of accuracy and
> +accountability in vulnerability reporting. Only those individuals with
> +deep expertise and intimate knowledge of the subsystem can effectively
> +assess the validity and scope of a reported vulnerability and determine
> +its appropriate CVE designation. Any attempt to modify or dispute a CVE
> +outside of this designated authority could lead to confusion, inaccurate
> +reporting, and ultimately, compromised systems.
> +
> +Invalid CVEs
> +------------
> +
> +If a security issue is found in a Linux kernel that is only supported by
> +a Linux distribution due to the changes that have been made by that
> +distribution, or due to the distribution supporting a kernel version
> +that is no longer one of the kernel.org supported releases, then a CVE
> +can not be assigned by the Linux kernel CVE team, and must be asked for
> +from that Linux distribution itself.
> +
> +Any CVE that is assigned against the Linux kernel for an actively
> +supported kernel version, by any group other than the kernel assignment
> +CVE team should not be treated as a valid CVE. Please notify the
> +kernel CVE assignment team at <cve@kernel.org> so that they can work to
> +invalidate such entries through the CNA remediation process.
> +
> +Applicability of specific CVEs
> +------------------------------
> +
> +As the Linux kernel can be used in many different ways, with many
> +different ways of accessing it by external users, or no access at all,
> +the applicability of any specific CVE is up to the user of Linux to
> +determine, it is not up to the CVE assignment team. Please do not
> +contact us to attempt to determine the applicability of any specific
> +CVE.
> +
> +Also, as the source tree is so large, and any one system only uses a
> +small subset of the source tree, any users of Linux should be aware that
> +large numbers of assigned CVEs are not relevant for their systems.
> +
> +In short, we do not know your use case, and we do not know what portions
> +of the kernel that you use, so there is no way for us to determine if a
> +specific CVE is relevant for your system.
> +
> +As always, it is best to take all released kernel changes, as they are
> +tested together in a unified whole by many community members, and not as
> +individual cherry-picked changes. Also note that for many bugs, the
> +solution to the overall problem is not found in a single change, but by
> +the sum of many fixes on top of each other. Ideally CVEs will be
> +assigned to all fixes for all issues, but sometimes we do not notice
> +fixes in released kernels, so do not assume that because a specific
> +change does not have a CVE assigned to it, that it is not relevant to
> +take.
> +
On Tue, Feb 13, 2024 at 07:48:12PM +0100, Greg Kroah-Hartman wrote:
> +No CVEs will be assigned for unfixed security issues in the Linux
> +kernel, assignment will only happen after a fix is available as it can
> +be properly tracked that way by the git commit id of the original fix.
This seems at odds with the literal definition of what CVEs are:
_vulnerability_ enumeration. This is used especially during the
coordination of fixes; how is this meant to interact with embargoed
vulnerability fixing?
Outside of that, I welcome the fire-hose of coming identifiers! I think
this will more accurately represent the number of fixes landing in
stable trees and how important it is for end users to stay current on
a stable kernel.
Reviewed-by: Kees Cook <keescook@chromium.org>
On Tue, Feb 13, 2024 at 02:35:24PM -0800, Kees Cook wrote:
> On Tue, Feb 13, 2024 at 07:48:12PM +0100, Greg Kroah-Hartman wrote:
> > +No CVEs will be assigned for unfixed security issues in the Linux
> > +kernel, assignment will only happen after a fix is available as it can
> > +be properly tracked that way by the git commit id of the original fix.
>
> This seems at odds with the literal definition of what CVEs are:
> _vulnerability_ enumeration. This is used especially during the
> coordination of fixes; how is this meant to interact with embargoed
> vulnerability fixing?
Yes, this is totally wrong, it was the original first draft of the
document, that I did on my workstation, and then went on the road for 3+
weeks and I never sycned up when I got home with the updated version
that is on my laptop. The updated version addresses this, as it was
rightly pointed out by the CVE group that this is not how a CNA is
supposed to only work.
Yet another reason why keeping changes private is a major pain, not only
for security ones! :(
Let me send out the proper one after my morning coffee has kicked in and
I resolve the differences, and make the grammer fixes that Randy pointed
out...
> Outside of that, I welcome the fire-hose of coming identifiers! I think
> this will more accurately represent the number of fixes landing in
> stable trees and how important it is for end users to stay current on
> a stable kernel.
Agreed.
> Reviewed-by: Kees Cook <keescook@chromium.org>
Many thanks for the review!
greg k-h
On Tue, Feb 13, 2024 at 11:56:42AM -0800, Randy Dunlap wrote:
> > +As part of the normal stable release process, kernel changes that are
> > +potentially security issues are identified by the developers responsible
> > +for CVE number assignments and have CVE numbers automatically assigned
> > +to them. These assignments are published on the linux-cve mailing list
>
> linux-cve-announce mailing list
Ah, good catch, you can see the "old" name for the list here, this is
due to this document being an older version, a symptom of "write it on
my workstation, sync to laptop, travel with laptop for 3+ weeks and make
changes based on meetings with CVE and others and then forget to sync
from laptop when arriving home".
Ugh :(
Thanks so much for the grammer fixes, they are much appreciated. I'll
apply them and send out the latest version in a bit.
> > +No CVEs will be assigned for unfixed security issues in the Linux
> > +kernel, assignment will only happen after a fix is available as it can
>
> kernel;
>
> > +be properly tracked that way by the git commit id of the original fix.
One of my goals in life is to never use a ';' in a sentence, and after
writing 2 books without them, I thought I achieve that pretty well as I
never seem to remember when they are to be used or not. But I'll trust
you on this and use it here.
thanks again for the review, much appreciated.
greg k-h
On Wed, Feb 14, 2024 at 07:43:32AM +0100, Greg Kroah-Hartman wrote:
> On Tue, Feb 13, 2024 at 02:35:24PM -0800, Kees Cook wrote:
> > On Tue, Feb 13, 2024 at 07:48:12PM +0100, Greg Kroah-Hartman wrote:
> > > +No CVEs will be assigned for unfixed security issues in the Linux
> > > +kernel, assignment will only happen after a fix is available as it can
> > > +be properly tracked that way by the git commit id of the original fix.
> >
> > This seems at odds with the literal definition of what CVEs are:
> > _vulnerability_ enumeration. This is used especially during the
> > coordination of fixes; how is this meant to interact with embargoed
> > vulnerability fixing?
>
> Yes, this is totally wrong, it was the original first draft of the
> document, that I did on my workstation, and then went on the road for 3+
> weeks and I never sycned up when I got home with the updated version
> that is on my laptop. The updated version addresses this, as it was
> rightly pointed out by the CVE group that this is not how a CNA is
> supposed to only work.
>
> Yet another reason why keeping changes private is a major pain, not only
> for security ones! :(
>
> Let me send out the proper one after my morning coffee has kicked in and
> I resolve the differences, and make the grammer fixes that Randy pointed
> out...
To make it more obvious here, as others have pointed this out to me as
well, here's the updated paragraph that will be in my v2 patch, with
proper ';' usage:
No CVEs will be automatically assigned for unfixed security issues in
the Linux kernel; assignment will only automatically happen after a fix
is available and applied to a stable kernel tree, and it will be tracked
that way by the git commit id of the original fix. If anyone wishes to
have a CVE assigned before an issue is resolved with a commit, please
contact the kernel CVE assignment team at <cve@kernel.org> to get an
identifier assigned from their batch of reserved identifiers.
Does that help explain the process better?
thanks,
greg k-h
On 2/13/24 23:15, Greg Kroah-Hartman wrote:
> On Tue, Feb 13, 2024 at 11:56:42AM -0800, Randy Dunlap wrote:
>>> +As part of the normal stable release process, kernel changes that are
>>> +potentially security issues are identified by the developers responsible
>>> +for CVE number assignments and have CVE numbers automatically assigned
>>> +to them. These assignments are published on the linux-cve mailing list
>>
>> linux-cve-announce mailing list
>
> Ah, good catch, you can see the "old" name for the list here, this is
> due to this document being an older version, a symptom of "write it on
> my workstation, sync to laptop, travel with laptop for 3+ weeks and make
> changes based on meetings with CVE and others and then forget to sync
> from laptop when arriving home".
>
> Ugh :(
>
> Thanks so much for the grammer fixes, they are much appreciated. I'll
> apply them and send out the latest version in a bit.
>
>>> +No CVEs will be assigned for unfixed security issues in the Linux
>>> +kernel, assignment will only happen after a fix is available as it can
>>
>> kernel;
>>
>>> +be properly tracked that way by the git commit id of the original fix.
>
> One of my goals in life is to never use a ';' in a sentence, and after
> writing 2 books without them, I thought I achieve that pretty well as I
> never seem to remember when they are to be used or not. But I'll trust
> you on this and use it here.
For some reason kernel documentation has a plethora of run-on sentences. :(
Guess we need doclint.
On Wed, Feb 14, 2024 at 08:45:19AM +0100, Greg Kroah-Hartman wrote:
> On Wed, Feb 14, 2024 at 07:43:32AM +0100, Greg Kroah-Hartman wrote:
> > On Tue, Feb 13, 2024 at 02:35:24PM -0800, Kees Cook wrote:
> > > On Tue, Feb 13, 2024 at 07:48:12PM +0100, Greg Kroah-Hartman wrote:
> > > > +No CVEs will be assigned for unfixed security issues in the Linux
> > > > +kernel, assignment will only happen after a fix is available as it can
> > > > +be properly tracked that way by the git commit id of the original fix.
> > >
> > > This seems at odds with the literal definition of what CVEs are:
> > > _vulnerability_ enumeration. This is used especially during the
> > > coordination of fixes; how is this meant to interact with embargoed
> > > vulnerability fixing?
> >
> > Yes, this is totally wrong, it was the original first draft of the
> > document, that I did on my workstation, and then went on the road for 3+
> > weeks and I never sycned up when I got home with the updated version
> > that is on my laptop. The updated version addresses this, as it was
> > rightly pointed out by the CVE group that this is not how a CNA is
> > supposed to only work.
> >
> > Yet another reason why keeping changes private is a major pain, not only
> > for security ones! :(
> >
> > Let me send out the proper one after my morning coffee has kicked in and
> > I resolve the differences, and make the grammer fixes that Randy pointed
> > out...
>
> To make it more obvious here, as others have pointed this out to me as
> well, here's the updated paragraph that will be in my v2 patch, with
> proper ';' usage:
>
> No CVEs will be automatically assigned for unfixed security issues in
> the Linux kernel; assignment will only automatically happen after a fix
> is available and applied to a stable kernel tree, and it will be tracked
> that way by the git commit id of the original fix. If anyone wishes to
> have a CVE assigned before an issue is resolved with a commit, please
> contact the kernel CVE assignment team at <cve@kernel.org> to get an
> identifier assigned from their batch of reserved identifiers.
>
> Does that help explain the process better?
Yeah, that's great. It get qualified with the "automatic" bit, which
makes this clear now. Thanks!
-Kees
new file mode 100644
@@ -0,0 +1,116 @@
+CVEs
+====
+
+Common Vulnerabilities and Exposure (CVE®) numbers, were developed as an
+unambiguous way to identify, define, and catalog publically disclosed
+security vulnerabilities. Over time, their usefulness has declined with
+regards to the kernel project, and CVE numbers were very often assigned
+in inappropriate ways and for inappropriate reasons. Because of this,
+the kernel development community has tended to avoid them. However, the
+combination of continuing pressure to assign CVEs and other forms of
+security identifiers, and ongoing abuses by community members outside of
+the kernel community has made it clear that the kernel community should
+have control over those assignments.
+
+The Linux kernel developer team does have the ability to assign CVEs for
+potential Linux kernel security issues. This assignment is independent
+of the :doc:`normal Linux kernel security bug reporting
+process<../process/security_bugs>`.
+
+A list of all assigned CVEs for the Linux kernel can be found in the
+archives of the linux-cve mailing list, as seen on
+https://lore.kernel.org/linux-cve-announce/. To get notice of the
+assigned CVEs, please subscribe to that mailing list.
+
+Process
+-------
+
+As part of the normal stable release process, kernel changes that are
+potentially security issues are identified by the developers responsible
+for CVE number assignments and have CVE numbers automatically assigned
+to them. These assignments are published on the linux-cve mailing list
+as announcements on a frequent basis.
+
+Note, due to the layer at which the Linux kernel is in a system, almost
+any bug might be exploitable to compromise the security of the kernel,
+but the possibility of exploitation is often not evident when the bug is
+fixed. Because of this, the CVE assignment team are overly cautious and
+assign CVE numbers to any bugfix that they identify. This
+explains the seemingly large number of CVEs that are issued by the Linux
+kernel team.
+
+If the CVE assignment team misses a specific fix that any user feels
+should have a CVE assigned to it, please email them at <cve@kernel.org>
+and the team there will work with you on it. Note, that no potential
+security issues should be sent to this alias, it is ONLY for assignment
+of CVEs for fixes that are already in released kernel trees. If you
+feel you have found an unfixed security issue, please follow the
+:doc:`normal Linux kernel security bug reporting
+process<../process/security_bugs>`.
+
+No CVEs will be assigned for unfixed security issues in the Linux
+kernel, assignment will only happen after a fix is available as it can
+be properly tracked that way by the git commit id of the original fix.
+
+No CVEs will be assigned for any issue found in a version of the kernel
+that is not currently being actively supported by the Stable/LTS kernel
+team. A list of the currently supported kernel branches can be found at
+https://kernel.org/category/releases.html
+
+Disputes of assigned CVEs
+-------------------------
+
+The authority to dispute or modify an assigned CVE for a specific kernel
+change lies solely with the maintainers of the relevant subsystem
+affected. This principle ensures a high degree of accuracy and
+accountability in vulnerability reporting. Only those individuals with
+deep expertise and intimate knowledge of the subsystem can effectively
+assess the validity and scope of a reported vulnerability and determine
+its appropriate CVE designation. Any attempt to modify or dispute a CVE
+outside of this designated authority could lead to confusion, inaccurate
+reporting, and ultimately, compromised systems.
+
+Invalid CVEs
+------------
+
+If a security issue is found in a Linux kernel that is only supported by
+a Linux distribution due to the changes that have been made by that
+distribution, or due to the distribution supporting a kernel version
+that is no longer one of the kernel.org supported releases, then a CVE
+can not be assigned by the Linux kernel CVE team, and must be asked for
+from that Linux distribution itself.
+
+Any CVE that is assigned against the Linux kernel for an actively
+supported kernel version, by any group other than the kernel assignment
+CVE team should not be treated as a valid CVE. Please notify the
+kernel CVE assignment team at <cve@kernel.org> so that they can work to
+invalidate such entries through the CNA remediation process.
+
+Applicability of specific CVEs
+------------------------------
+
+As the Linux kernel can be used in many different ways, with many
+different ways of accessing it by external users, or no access at all,
+the applicability of any specific CVE is up to the user of Linux to
+determine, it is not up to the CVE assignment team. Please do not
+contact us to attempt to determine the applicability of any specific
+CVE.
+
+Also, as the source tree is so large, and any one system only uses a
+small subset of the source tree, any users of Linux should be aware that
+large numbers of assigned CVEs are not relevant for their systems.
+
+In short, we do not know your use case, and we do not know what portions
+of the kernel that you use, so there is no way for us to determine if a
+specific CVE is relevant for your system.
+
+As always, it is best to take all released kernel changes, as they are
+tested together in a unified whole by many community members, and not as
+individual cherry-picked changes. Also note that for many bugs, the
+solution to the overall problem is not found in a single change, but by
+the sum of many fixes on top of each other. Ideally CVEs will be
+assigned to all fixes for all issues, but sometimes we do not notice
+fixes in released kernels, so do not assume that because a specific
+change does not have a CVE assigned to it, that it is not relevant to
+take.
+
@@ -81,6 +81,7 @@ of special classes of bugs: regressions and security problems.
handling-regressions
security-bugs
+ cve
embargoed-hardware-issues
Maintainer information
@@ -99,9 +99,9 @@ CVE assignment
The security team does not assign CVEs, nor do we require them for
reports or fixes, as this can needlessly complicate the process and may
delay the bug handling. If a reporter wishes to have a CVE identifier
-assigned, they should find one by themselves, for example by contacting
-MITRE directly. However under no circumstances will a patch inclusion
-be delayed to wait for a CVE identifier to arrive.
+assigned, after a fix is created and merged into a public tree, they can
+contact the :doc:`kernel CVE assignment team<../process/cve>` to obtain
+one.
Non-disclosure agreements
-------------------------