I'm really not sure what to think of this.
edit: https://lore.kernel.org/all/2024022547-CVE-2023-52472-fa03@gregkh/
Conversation
Notices
-
Embed this notice
Vegard Nossum 🥑 (vegard@mastodon.social)'s status on Tuesday, 27-Feb-2024 00:28:48 JST 
Vegard Nossum 🥑
-
Embed this notice
Vegard Nossum 🥑 (vegard@mastodon.social)'s status on Tuesday, 27-Feb-2024 00:29:39 JST
Vegard Nossum 🥑
@kees @vathpela @gregkh I don't want to get too pedantic here, but that corollary there looks like a prime example of the fallacy of affirming the consequent.
I really disagree, not all bugs are security bugs. They could be vulnerabilities at some point in the future (i.e. latent), but we have no evidence to say that they are today.
Don't get me wrong, I think these patches are good and should be applied everywhere, but they arguably do not fix vulnerabilities.
-
Embed this notice
Kees Cook :tux: (kees@fosstodon.org)'s status on Tuesday, 27-Feb-2024 00:29:39 JST 
Kees Cook :tux:
@vegard @vathpela @gregkh FWIW, I think "security bugs are bugs" is a flawed view. The nuance, though, can be extremely time consuming. :(
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Kees Cook :tux: (kees@fosstodon.org)'s status on Tuesday, 27-Feb-2024 00:29:40 JST
Kees Cook :tux:
@vathpela @vegard @gregkh
The corollary of "security bugs are bugs" is "bugs are security bugs". Without an omniscient view of all Linux deployments and the associated reachability analysis, the objective security impact of a behavioral weakness cannot be assessed. And this is especially true given that (even minor) flaws are commonly chained together to build exploits.This new process won't be perfect, but it'll be a whole lot closer to reality than the prior process: assigning no CVEs. :)
-
Embed this notice
Farce Majeure (vathpela@better.boston)'s status on Tuesday, 27-Feb-2024 00:29:41 JST 
Farce Majeure
@vegard Greg has decided to burn the sea and is assigning CVEs without respect to whether anything can actually be exploited.
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Vegard Nossum 🥑 (vegard@mastodon.social)'s status on Tuesday, 27-Feb-2024 00:34:39 JST
Vegard Nossum 🥑
@kees @vathpela @gregkh In this specific case I feel like much of the analysis has already been carried out, see https://lwn.net/Articles/627419/ and https://lwn.net/Articles/723317/.
If we believe otherwise, that should be documented or discussed (like Jann's reply: https://mastodon.social/@jann@infosec.exchange/111995095738261114).
I'm fine admitting some wiggle room for borderline cases, but in this case the CVE description is literally "this can't actually fail" and "adding a check ... makes the static checkers happy".
Haelwenn /элвэн/ :triskell: likes this.
-
Embed this notice
All GNU social JP content and data are available under the