oss-sec mailing list archives

Re: Reporting and disclosing Linux kernel vulnerabilities

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 4 Aug 2017 11:07:40 -0600

On Fri, Aug 4, 2017 at 10:59 AM, Andrey Konovalov <andreyknvl () gmail com>
wrote:

Hi!

It's not completely clear to me how to properly report and disclose
Linux kernel security issues. There are a few different parties [1, 2,
3] that need to be informed and coordinated. I couldn't find a
publicly available actionable list of steps, so I've outlined it as I
see it here:

https://github.com/google/syzkaller/blob/master/docs/
linux_kernel_reporting_bugs.md#reporting-security-bugs

Thoughts? Comments?


I would strongly suggest that people notify distros@ (keeping in mind it
has a 2 week embargo limit, so if you need more than that, don't notify
distros@ until you are ready) and notify the Kernel (we want this fixed
upstream too,obviously, but also keeping in mind that they have a 1 week
embargo limit, so if you need more than that, don't notify the Kernel until
you are ready). Another option it to notify a vendor such as Red Hat (
secalert () redhat com) or SUSE (security () suse com) as we can handle things in
house (we have kernel devs/etc) and we know whom to notify at other vendors
as needed (e.g. Debian, Ubuntu, etc.) and can hold embargoes as needed
(although typically we don't like long embargoes either, I would say 4-5
weeks absolute max ideally).

Another benefit of notifying the vendors/distros is we can help with the
coordination and notification, CVEs, etc. Kernel upstream basically just
fixes it and moves on (which is legitimate, it's not their job to make sure
every possible downstream gets notified*)

[*] although it would be nice if this stuff gets a CVE and the CVE gets
used, then people know to pay attention to those commits/etc.


Thanks!

[1] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html

[2] http://oss-security.openwall.org/wiki/mailing-lists/distros

[3] http://oss-security.openwall.org/wiki/mailing-lists/oss-security




-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com

Current thread:

Reporting and disclosing Linux kernel vulnerabilities Andrey Konovalov (Aug 04)
- Re: Reporting and disclosing Linux kernel vulnerabilities Kurt Seifried (Aug 04)
- Re: Reporting and disclosing Linux kernel vulnerabilities Solar Designer (Aug 04)
  - Re: Reporting and disclosing Linux kernel vulnerabilities Greg KH (Aug 04)
    - Re: Reporting and disclosing Linux kernel vulnerabilities Andrey Konovalov (Sep 01)
- Re: Reporting and disclosing Linux kernel vulnerabilities Greg KH (Aug 04)