1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
Notes on "how to assign an id and push it out to the world"
Prep work
========
Things you need to have installed to get this all working:
Binaries needed on your path to run automatically:
jo - https://github.com/jpmens/jo
cvelib - https://github.com/RedHatProductSecurity/cvelib.git
Binaries that are nice to have:
just - https://github.com/casey/just.git
patatt - part of 'b4', needed to sign emails with the git send-email hook
Source repos that are required:
Full linux-stable tree for git lookups.
git@gitolite.kernel.org:/pub/scm/linux/kernel/git/stable/linux
linux-stable_commit_tree, scripts used to figure out what commit was released in what directory.
https://git.sr.ht/~gregkh/linux-stable_commit_tree
Keep these two repos up to date, they are updated with each new kernel release (stable and -rc)
Export the following environment variables with full paths to both repos.
export CVEKERNELTREE="${HOME}/<path_to_kernel>"
export CVECOMMITTREE="${HOME}/<path_to_commit_tree>"
If it helps, add them to your terminal rc file (~/.bashrc|~/.zshrc) et al.
Right now, the tools in scripts/ have hard-coded locations for the above 2
source repos. Edit them to point to where you place them in your directory
tree, and maybe let's figure out how to specify them somehow on the command
line or environment variables...
Set the environment variable CVE_USER="your email address used for CVE"
You can set CVE_API_KEY environment variable as well, or you can type it in
each time you access the CVE.org site, your call.
To test the ability to access the CVE database, run:
cve -o Linux org
the output should look something like:
kernel.org — Linux
├─ Roles: CNA
├─ Created: Wed Feb 14 06:36:05 2024 +0000
└─ Modified: Tue Feb 27 18:42:56 2024 +0000
If this doesn't work, poke Greg to work through what went wrong.
Install the git send-email hook that will sign the emails when sent out, and
set a "pretty" Message-Id: value.
cp git_hooks/sendemail-validate .git/hooks/
Verify the hook works it should fail with the following error:
$ .git/hooks/sendemail-validate
WARNING: Folder does not exist, failed opening mbox folder /var/spool/mail/gregkh.
Can't call method "message" on an undefined value at .git/hooks/sendemail-validate line 8.
If you get warnings about missing Perl modules, go find them on your distro, or
don't worry about it and delete the hook, your call.
Assigning an id
===============
Start with a git id, let's use 5f449e245e5b ("riscv: mm: Fixup compat mode boot
failure") as an example for all of this.
In the main vulns.git repo, run 'just' to see the available options:
$ just
Available recipes:
cve_create GIT_ID # Create a CVE for a specific Linux kernel git commit id
cve_publish_json # Publish all modified .json files with the CVE server
cve_publish_mbox # Publish all modified .mbox messages with git-send-email
cve_reject CVE_ID # Reject a published/reserved CVE
cve_search GIT_ID # Search for a specific git id in the list of published CVE ids
cve_update # Update all allocated CVE entries with the latest version information
list_ids # Query the CVE server for the list of all ids assigned to us
summary # List a summary of the ids at this point in time
You can run the cve_* scripts directly from scripts/ or you can use 'just' to
run them instead, your call.
To create a cve id, do:
just cve_create 5f449e245e5b
or
scripts/cve_create 5f449e245e5b
the output should look something like:
CVE-2023-52475 is now allocated for commit 5f449e245e5b ("riscv: mm: Fixup compat mode boot failure")
(it should be in color)
Great, it's created, but what happened? Look at git:
$ git status -s
D cve/reserved/2023/CVE-2023-52475
?? cve/published/2023/CVE-2023-52475
?? cve/published/2023/CVE-2023-52475.json
?? cve/published/2023/CVE-2023-52475.mbox
?? cve/published/2023/CVE-2023-52475.sha1
The CVE id was moved from the reserved directory into the published directory,
if all went well.
Look at the .mbox file, and verify that it looks sane, the "Affected and fixed
versions" looks correct, and that the version and git ids are correct. You can
manually check the links at the bottom of the email as well to verify this.
Also verify that the email address at the top of the email is correctly set to
yours.
If that looks good, look at the .json file and be thankful that we don't have
to type this by hand all the time, hopefully it also looks correct.
Submit the cve id to cve.org:
just cve_publish_json
or
scripts/cve_publish_json
The script will iterate through the uncommitted or modified json files and
submit them to cve.org. The response should be "success", if not, work through
it with Greg.
Send the email for the new cve id:
just cve_publish_mbox
or
scripts/cve_publish_mbox
The script will iterate through the uncommited mbox files and run 'git
send-email' on them to send them to the linux-cve-announce mailing list.
If the git hook is installed, patatt will ask to sign the messages with your
gpg key before sending them out.
Now that the json file is submitted, and the .mbox file is sent out, that's it,
so just commit the changes to the git repo:
git add cve/
git commit -a
and provide a changelog message and push the repo to the server.
|
