Re: linux-distros list policy and Linux kernel, again

[Demi Marie Obenour <demi () invisiblethingslab com>]

On Sun, Aug 27, 2023 at 08:56:12PM +0200, Eduardo' Vela" <Nava> wrote:
> On Sun, 27 Aug 2023, 19:41 Demi Marie Obenour, <demi () invisiblethingslab com>
> wrote:
>
> > Does this include unfixed vulnerabilities?
>
> The link* has more details, but briefly, deduplication is done by fix
> commit.
>
> Efforts to fix unfixed Syzkaller crashes (also something being worked on)
> are complementary to the effort to generate CVE identifiers for them, if
> that's your question (so, yes? Unfixed vulnerabilities found by Syzkaller
> are meant to be fixed first and then a CVE is generated for the reports
> fixed by their corresponding Fix commit).
>
> Generating CVEs for Syzkaller reports without deduplicating them first
> would be disruptive and useless (the link* goes into more details).
> Deduplication is subjective as it depends on how the bugs are understood.
> The analysis that is needed to deduplicate is happening as part of the fix
> review process.
>
> One could, of course, create a different mechanism to automatically (or
> semi-automatically) deduplicate Syzkaller reports and accept the risk of
> duplicate CVEs. This may be something to look at in the future, but it's
> not what's being worked on for the first iteration, and we probably will
> have a lot to fix and learn from even after the first wave of CVEs are
> generated.
>
> * https://github.com/google/cvelist/tree/cve-automation/fuzzer

That makes sense.  Do you have any information about the efforts to fix
the crashes?
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Attachment: signature.asc
Description: