Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/114257437962283266">Will Dormann (wdormann@infosec.exchange)'s status on Friday, 04-Apr-2025 21:21:29 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a></section><article><p>In today's episode of drama in the CVE ecosystem:</p><p>The Canonical CNA created <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0927" rel="nofollow">CVE-2025-0927</a> and an <a href="https://ubuntu.com/security/CVE-2025-0927" rel="nofollow">associated advisory</a> for a heap overflow in HFS+ in the Linux kernel.</p><p>The Linux kernel CNA stripped out the information (like the reporter of Attila Szász, useful references, etc) from the CVE entry and added the passive-aggressive:</p><p>The Linux kernel CVE team has been assigned CVE-2025-0927 as it was incorrectly created by a different CNA that really should have known better to not have done this.to this issue. [sic]</p><p>Also TIL: If you look only at the assignerShortName in a cvelistV5 CVE entry, you might not get the whole picture of whose CVE it technically is. While the Linux kernel rewrote history to claim that they assigned the CVE, that was only done via the cna container's ProviderMetadata shortName value. The top-level [assignerShortName](https://github.com/CVEProject/cvelistV5/blob/main/cves/2025/0xxx/CVE-2025-0927.json#L7) for the entry still shows canonical.</p><p>Good times...</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4844107#notice-9486907">In conversation</a><time datetime="2025-04-04T21:21:29+09:00" title="Friday, 04-Apr-2025 21:21:29 JST">about 3 days ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/114257437962283266" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/114257437962283266">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/4413842">diff of github entry for CVE-2025-0927</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/257/381/114/219/227/original/3812831817c8bd89.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/257/381/114/219/227/original/3812831817c8bd89.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4413843">            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2025-03-30T18:55:36.242Z"
            },</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/257/431/435/673/328/original/f86fe742deac6337.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/257/431/435/673/328/original/f86fe742deac6337.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4413844">   "assignerShortName": "canonical",</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/257/433/764/597/291/original/8cafd467d7c4c038.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/257/433/764/597/291/original/8cafd467d7c4c038.png</a></li><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="http://this.to/">http://this.to/</a></h5><div></div></header><div></div><footer></footer></article></li><li><article><header><div>Domain not in remote thumbnail source whitelist: opengraph.githubassets.com</div><h5><a href="https://github.com/CVEProject/cvelistV5/blob/main/cves/2025/0xxx/CVE-2025-0927.json#L7">cvelistV5/cves/2025/0xxx/CVE-2025-0927.json at main · CVEProject/cvelistV5</a></h5><div></div></header><div>CVE cache of the official CVE List in CVE JSON 5 format - CVEProject/cvelistV5</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Friday, 04-Apr-2025 21:21:29 JST Will Dormann
In today's episode of drama in the CVE ecosystem:
The Canonical CNA created CVE-2025-0927 and an associated advisory for a heap overflow in HFS+ in the Linux kernel.
The Linux kernel CNA stripped out the information (like the reporter of Attila Szász, useful references, etc) from the CVE entry and added the passive-aggressive:
The Linux kernel CVE team has been assigned CVE-2025-0927 as it was incorrectly created by a different CNA that really should have known better to not have done this.to this issue. [sic]
Also TIL: If you look only at the assignerShortName in a cvelistV5 CVE entry, you might not get the whole picture of whose CVE it technically is. While the Linux kernel rewrote history to claim that they assigned the CVE, that was only done via the cna container's ProviderMetadata shortName value. The top-level [assignerShortName](https://github.com/CVEProject/cvelistV5/blob/main/cves/2025/0xxx/CVE-2025-0927.json#L7) for the entry still shows canonical.
Good times...
In conversationabout 3 days ago from infosec.exchangepermalink
Attachments
1. diff of github entry for CVE-2025-0927
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/257/381/114/219/227/original/3812831817c8bd89.png
2. "providerMetadata": { "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-03-30T18:55:36.242Z" },
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/257/431/435/673/328/original/f86fe742deac6337.png
3. "assignerShortName": "canonical",
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/257/433/764/597/291/original/8cafd467d7c4c038.png
4. No result found on File_thumbnail lookup.
  http://this.to/
5. Domain not in remote thumbnail source whitelist: opengraph.githubassets.com
  cvelistV5/cves/2025/0xxx/CVE-2025-0927.json at main · CVEProject/cvelistV5
  CVE cache of the official CVE List in CVE JSON 5 format - CVEProject/cvelistV5

Public

Embed Notice

HTML Code

Corresponding Notice