Re: Details on this supposed Linux Kernel ksmbd RCE

[Marcus Meissner <meissner () suse de>]

On Fri, Dec 23, 2022 at 05:19:06PM +0100, Marcus Meissner wrote:
> On Fri, Dec 23, 2022 at 03:20:17PM +0100, Greg KH wrote:
> > On Fri, Dec 23, 2022 at 09:04:25AM -0500, Sasha Levin wrote:
> > > On Fri, Dec 23, 2022 at 09:17:28AM +0100, Marcus Meissner wrote:
> > > > Not sure why they do not like you, but to be very clear anyone else can
> > > > requests CVEs for the kernel, (except the blacklisted drivers/staging/ area).
> > >
> > > For CVEs assigned (earlier this month) to issues in drivers/staging,
> > > what would be the process to remove the assignment or mark them as
> > > invalid?
> >
> > And who is doing this "blacklisting" of staging drivers from CVEs?  Why
> > are they special when many distros do enable and rely on them?
>
> This is just information I received when I tried to allocate a CVE for a
> staging driver.
>
> It has been over a year ago, so perhaps the this changed meanwhile again.

It was 4 years ago for CVE-2018-8822, where ncpfs moved from being good
into the "staging" tree due to quality / maintenance issues.

> > In my talks with MITRE, they have said they don't want to make public
> > statments about the CVE issues and Linux, which is sad, but they never
> > mentioned anything about "we will ignore this portion of the kernel
> > source tree".  Is that in a public statement anywhere that I can point
> > to when people ask the kernel security team for CVEs?
>
> No, it was in a private email, I will search for it, but I cannot
> promise I will find it again.

I got information back from Mitre on this topic.

This thread from you and Moritz in 2014 set the Mitre non-assignment policy regarding drivers/staging/

        https://www.openwall.com/lists/oss-security/2014/03/05/6

If this has changed in meantime (e.g. that security issues in the
staging tree are CVE worthy), we can ask Mitre to allow assigning to
staging drivers again.

Ciao, Marcus