diff --git a/cves/kernel/CVE-2015-7566.yml b/cves/kernel/CVE-2015-7566.yml index 309b12e95..15ce9abdb 100644 --- a/cves/kernel/CVE-2015-7566.yml +++ b/cves/kernel/CVE-2015-7566.yml @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2016-02-24' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,11 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + When using a USB device that lacks a bulk-out endpoint (what sends data from the host to the device), + a NULL pointer error occurs. This causes the system to crash which can lead to more errors and corruption. + This happens due to an incomplete sanity check, the visor driver tries to dereference null-pointers when + a USB is plugged in. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -75,7 +79,7 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [] +bugs: [1296466, 1297517] fixes_instructions: | Please put the commit hash in "commit" below. @@ -84,14 +88,9 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: - note: -- commit: - note: - commit: cb3232138e37129e88240a98a1d2aba2187ff57c note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Taken from NVD references list with Git commit. Manually confirmed. vcc_instructions: | The vulnerability-contributing commits. @@ -106,7 +105,7 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - note: Discovered automatically by archeogit. + note: Discovered automatically by archeogit. Manually confirmed. This is the inital commit of the repo. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -114,7 +113,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 5 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -129,10 +128,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: False + code_answer: No unit tests + fix: False + fix_answer: No unit tests discovered: question: | How was this vulnerability discovered? @@ -147,10 +146,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: Ralf Spenneberg of OpenSource Security reported the issue, and it was found with a fuzzer. + automated: True + contest: False + developer: True autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -167,8 +166,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: Yes, it was discovered when tested with a fuzzer. + answer: True specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -184,8 +183,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: No mention of specifications. + answer: False subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -219,8 +218,9 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: - note: + name: drivers + note: | + Specifically drivers/usb/serial/visor.c in clie_5_attach. interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -251,8 +251,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: No internationalization present sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -266,8 +266,9 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + Unrelated to sandboxing. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -278,8 +279,10 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + The error is concerning the bulk OUT endpoint of USB devices. When it attempts to communicate + with a USB device without the endpoint it will cause a systen crash. discussion: question: | Was there any discussion surrounding this? @@ -305,9 +308,10 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: False + any_discussion: True + note: | + https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7566 vouch: question: | Was there any part of the fix that involved one person vouching for @@ -320,8 +324,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: Code was reviewed before it was committed. Signed off by Johan Hovold and Vladis Dronov. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -335,9 +339,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: False + stacktrace_with_fix: False + note: Could not find any stacktraces forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -356,8 +360,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: It was never checked to see if the USB device had a bulk OUT endpoint, which caused the errror. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -369,8 +373,9 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + No order of operations present. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -387,37 +392,37 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: - note: + applies: True + note: This applys because there was a forgotten check that led to it being insecure. least_privilege: - applies: + applies: False note: frameworks_are_optional: - applies: + applies: False note: native_wrappers: - applies: + applies: False note: distrust_input: - applies: - note: + applies: True + note: Because it was assumed that USB's would be formatted correctly it never accounted for the vulnerability. security_by_obscurity: - applies: + applies: False note: serial_killer: - applies: + applies: False note: environment_variables: - applies: + applies: False note: secure_by_default: - applies: + applies: False note: yagni: - applies: + applies: False note: complex_inputs: - applies: + applies: False note: mistakes: question: | @@ -448,7 +453,10 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + There were no checks to make sure that there was an endpoint to write to because it was potentionally assumed + that all USB devices would be normal and working. This led the the error occuring when USb devices were inproperly + formatted or purposefully tampered with. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -464,7 +472,7 @@ CWE_instructions: | CWE: ["123", "456"] # this is ok CWE: [123, 456] # also ok CWE: 123 # also ok -CWE: +CWE: 476 CWE_note: nickname_instructions: | A catchy name for this vulnerability that would draw attention it. diff --git a/cves/kernel/CVE-2019-12379.yml b/cves/kernel/CVE-2019-12379.yml index 7b1556d31..434ebf33e 100644 --- a/cves/kernel/CVE-2019-12379.yml +++ b/cves/kernel/CVE-2019-12379.yml @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2019-05-28' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,13 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + A possible memory leak in the Linux drivers due to incorrect freeing of memory. + Memlory leaks in general can lead to a situation where the + system uses up memory unnecessarily, especially in cases where the system is + already low on memory. This can potentially cause disruptions in the system's + performance and stability. However, it doesn't seem like this was ever actually an issue and + the attempted solution was quickly reverted as it ended up causing a memory leak. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -75,7 +81,7 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [] +bugs: [1715491] fixes_instructions: | Please put the commit hash in "commit" below. @@ -88,14 +94,10 @@ fixes: note: - commit: note: -- commit: 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac - note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' - commit: 15b3cd8ef46ad1b100e0d3c7e38774f330726820 note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Taken from NVD references list with Git commit. Manually confirmed. This reverts the + previous commit. vcc_instructions: | The vulnerability-contributing commits. @@ -110,9 +112,11 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - note: Discovered automatically by archeogit. + note: Discovered automatically by archeogit. Manually confirmed. This is the inital commit of the repo. - commit: 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac - note: Discovered automatically by archeogit. + note: | + Discovered automatically by archeogit. Manually confirmed. In an attempt to fix the memory leak, it actually + caused. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -120,7 +124,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 3 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -135,10 +139,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: False + code_answer: No unit testing + fix: False + fix_answer: No unit testing discovered: question: | How was this vulnerability discovered? @@ -153,10 +157,12 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: | + Unsure how the possible memory leak was discovered. Checked commit history and discussion posts. + This was most likely never a real issue. + automated: False + contest: False + developer: False autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -173,8 +179,10 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + A brute force fuzzer attack or stress test could discover the memory leak. This is because it would + slowly eat up all the memory and either crash or slow the system considerably. + answer: True specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -190,8 +198,9 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + Could not find any evidence of the specification. + answer: False subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -225,8 +234,9 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: - note: + name: drivers + note: | + Specifically drivers/tty/vt/consolemap.c in con_insert_unipair. interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -241,8 +251,11 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: - note: + - commit: 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac + note: | + This was an attempt to fix the memory leak. However, it seems to have introduced a memory leak into the system + as it incorrectly freed memory. See the revert 15b3cd8ef46ad1b100e0d3c7e38774f330726820 for more information on + why this commit introduced a memory leak instead of fixing one. - commit: note: i18n: @@ -257,8 +270,9 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + No evidence of internationalization being related to this. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -272,8 +286,9 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + This is unrelated to permissions. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -284,8 +299,9 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + The error is contained within itself. discussion: question: | Was there any discussion surrounding this? @@ -311,9 +327,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: True + any_discussion: True + note: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-12379 vouch: question: | Was there any part of the fix that involved one person vouching for @@ -326,8 +342,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: Code was reviewed before it was committed. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -341,9 +357,10 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: False + stacktrace_with_fix: False + note: | + No stacktraces found. Unclear if this was even an issue. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -362,8 +379,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: Issue is concerning freeing memory and does not check values. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -375,8 +392,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: Issue is concerning freeing memory and order does not matter. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -393,37 +410,37 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: False note: least_privilege: - applies: + applies: False note: frameworks_are_optional: - applies: + applies: False note: native_wrappers: - applies: + applies: False note: distrust_input: - applies: + applies: False note: security_by_obscurity: - applies: + applies: False note: serial_killer: - applies: + applies: False note: environment_variables: - applies: + applies: False note: secure_by_default: - applies: + applies: False note: yagni: - applies: + applies: False note: complex_inputs: - applies: + applies: False note: mistakes: question: | @@ -454,7 +471,10 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + It looks like there was a misunderstanding in what parts of the code were doing, which led + to the bug report being incorrectly filed and a incorrect solution being put in place that + actually caused more issues. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -470,8 +490,7 @@ CWE_instructions: | CWE: ["123", "456"] # this is ok CWE: [123, 456] # also ok CWE: 123 # also ok -CWE: -- 401 +CWE: 401 CWE_note: | CWE as registered in the NVD. If you are curating, check that this is correct and replace this comment with "Manually confirmed". @@ -480,4 +499,4 @@ nickname_instructions: | If the report mentions a nickname, use that. Must be under 30 characters. Optional. nickname: -CVSS: +CVSS: \ No newline at end of file