diff --git a/cves/kernel/CVE-2012-6657.yml b/cves/kernel/CVE-2012-6657.yml index 7585d19a1..1fb9e890e 100644 --- a/cves/kernel/CVE-2012-6657.yml +++ b/cves/kernel/CVE-2012-6657.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that @@ -55,7 +55,8 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: The function sock_setsockopt does not check the type of socket before running tcp_set_keepalive + on it, users could use a RAW socket to crash the system. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -84,14 +85,8 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: - note: -- commit: - note: - commit: 3e10986d1d698140747fcfc2761ec9cb64c1d582 - note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + note: Manually Confirmed vcc_instructions: | The vulnerability-contributing commits. @@ -106,7 +101,7 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - note: Discovered automatically by archeogit. + note: Manually verified upvotes_instructions: | For the first round, ignore this upvotes number. @@ -114,7 +109,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 7 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -129,10 +124,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: No automated unit tests were involved. + fix: false + fix_answer: Only the change to the function was part of the commit. discovered: question: | How was this vulnerability discovered? @@ -147,10 +142,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: Discovered by a developer, no used of tools were mentioned. + automated: false + contest: false + developer: false autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -167,8 +162,9 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: The vulnerability relies on a specific type of socket to be used, + a fully automated tool could not find the issue. + answer: false specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -184,8 +180,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: No mention of a violation of a specification. + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -219,7 +215,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: net note: interesting_commits: question: | @@ -237,8 +233,6 @@ interesting_commits: commits: - commit: note: - - commit: - note: i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -251,8 +245,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: Issue was purely about socket types. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -266,8 +260,9 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: The funtion in question (sock_setsockopt) is used to control socket behavior. + It was not properly checking if the socket was RAW ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -278,8 +273,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: Not part of IPC discussion: question: | Was there any discussion surrounding this? @@ -305,9 +300,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: false + any_discussion: false + note: First mention was that it was an issue and required a quick fix. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -320,8 +315,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: n/a stacktrace: question: | Are there any stacktraces in the bug reports? @@ -335,9 +330,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: No stacktrace given in report forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -356,8 +351,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: Yes, system forgets to check if Socket is RAW. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -369,8 +364,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: Fix adds one new check. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -387,37 +382,37 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: false note: least_privilege: - applies: + applies: false note: frameworks_are_optional: - applies: + applies: false note: native_wrappers: - applies: + applies: false note: distrust_input: - applies: + applies: false note: security_by_obscurity: - applies: + applies: false note: serial_killer: - applies: + applies: false note: environment_variables: - applies: + applies: false note: secure_by_default: - applies: + applies: false note: yagni: - applies: + applies: false note: complex_inputs: - applies: + applies: false note: mistakes: question: | @@ -448,7 +443,7 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: lapse - Forgot to check if socket was RAW CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -473,5 +468,5 @@ nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: -CVSS: +nickname: Socket type non check. +CVSS: \ No newline at end of file diff --git a/cves/kernel/CVE-2019-15216.yml b/cves/kernel/CVE-2019-15216.yml index 5d6a54eb8..17417d397 100644 --- a/cves/kernel/CVE-2019-15216.yml +++ b/cves/kernel/CVE-2019-15216.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that @@ -55,7 +55,8 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: When a USB device is unplugged, the system attempts to log a message + using the device's name AFTER it has been unregistered and name deallocated, causing an error. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -84,14 +85,8 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: - note: -- commit: - note: - commit: ef61eb43ada6c1d6b94668f0f514e4c268093ff3 - note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + note: Manually confirmed vcc_instructions: | The vulnerability-contributing commits. @@ -106,7 +101,7 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 6bc235a2e24a5ef677daee3fd4f74f6cd643e23c - note: Discovered automatically by archeogit. + note: Manually verified upvotes_instructions: | For the first round, ignore this upvotes number. @@ -114,7 +109,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 15 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -129,10 +124,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: No tests were associated with this section of code. + fix: false + fix_answer: Only a preexisting function was added, no tests were changed. discovered: question: | How was this vulnerability discovered? @@ -147,10 +142,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: The syzkaller USB fuzzer found the issue as stated in the patch log + automated: true + contest: false + developer: true autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -167,8 +162,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: Yes, a fuzzer found the issue in this case. + answer: true specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -184,8 +179,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: No mention of a violation of a specification. + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -219,7 +214,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: drivers note: interesting_commits: question: | @@ -236,9 +231,9 @@ interesting_commits: * Anything else you find interesting. commits: - commit: - note: - - commit: - note: + note: | + The code was originally written in 2010 and this function was not touched until + the issue was found and a new line for the fix was added in 2019. i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -251,8 +246,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: This was about USB connections. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -266,8 +261,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: The issue was a result of attempting to access information no longer available. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -278,8 +273,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: Was in drivers. discussion: question: | Was there any discussion surrounding this? @@ -305,9 +300,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: false + any_discussion: false + note: First mention was that it was an issue and required a quick fix. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -320,8 +315,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: The bug existed for 9 years before it was found, it was not noticed until a fuzzer found it. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -335,9 +330,10 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: true + stacktrace_with_fix: false + note: The file with the bug is at the top of the stacktrace but not near the line + where the fix was implemented. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -356,8 +352,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: Out of order order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -369,8 +365,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: A message based on a device's data attempted to send after the data was removed. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -387,37 +383,37 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: false note: least_privilege: - applies: + applies: false note: frameworks_are_optional: - applies: + applies: false note: native_wrappers: - applies: + applies: false note: distrust_input: - applies: + applies: false note: security_by_obscurity: - applies: + applies: false note: serial_killer: - applies: + applies: false note: environment_variables: - applies: + applies: false note: secure_by_default: - applies: + applies: false note: yagni: - applies: + applies: false note: complex_inputs: - applies: + applies: false note: mistakes: question: | @@ -448,7 +444,7 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: The main mistake was a lack of critical thinking about order of operations. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -473,5 +469,5 @@ nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: +nickname: Requesting Null Data CVSS: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H