diff --git a/cves/kernel/CVE-2013-1774.yml b/cves/kernel/CVE-2013-1774.yml index 59b972b33..40c15eb6c 100644 --- a/cves/kernel/CVE-2013-1774.yml +++ b/cves/kernel/CVE-2013-1774.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that @@ -55,7 +55,11 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + In the Linux kernel, the chase_port function in drivers/usb/serial/io_ti.c + allowed local users to cause a denial of service via a NULL pointer dereference and + system crash. This occurred after an attempted /dev/ttyUSB read or write + operation on a disconnected Edgeport USB serial converter. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -88,10 +92,9 @@ fixes: note: - commit: note: -- commit: 1ee0a224bc9aad1de496c795f96bc6ba2c394811 +- commit: 1ee0a224bc9aad1de496c795f96bc6ba2c394811 note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Manually confirmed vcc_instructions: | The vulnerability-contributing commits. @@ -106,7 +109,8 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - note: Discovered automatically by archeogit. + note: | + Discovered automatically by archeogit. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -114,7 +118,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 1 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -129,10 +133,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: False + code_answer: False + fix: False + fix_answer: False discovered: question: | How was this vulnerability discovered? @@ -147,10 +151,11 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: | + Discovered on 2013-02-27 by a Redhat employee. + automated: False + contest: False + developer: True autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -167,8 +172,11 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + The vulnerability is caused entirely by a null pointer reference to a peripheral. + In theory it might be possible to discover it with a tool but you would have to be + manually involved in the process (ie disconnect the peripheral while tool is running). + answer: False specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -184,8 +192,9 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + Could not find reference to a specification that had been violated. + answer: False subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -219,8 +228,8 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: - note: + name: drivers + note: interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -251,8 +260,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: The vulnerability is caused by a null pointer to a perpheral reference. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -266,8 +275,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: The vulnerability does not allow for access to limited access content. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -278,8 +287,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: The vulnerability is solely caused by a NULL pointer. discussion: question: | Was there any discussion surrounding this? @@ -305,9 +314,10 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: True + any_discussion: True + note: | + No public disagreements found. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -320,8 +330,9 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + Commit was signed off by two people. Can be found on git.kernel.org. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -335,9 +346,10 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: False + stacktrace_with_fix: False + note: | + No stack trace(s) provided in online discussion of bug. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -356,8 +368,9 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + The fix was adding a NULL pointer check. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -369,8 +382,9 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + The fix involved adding a new check, not moving existing code around. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -387,38 +401,40 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: False note: least_privilege: - applies: + applies: False note: frameworks_are_optional: - applies: + applies: False note: native_wrappers: - applies: + applies: False note: distrust_input: - applies: + applies: False note: security_by_obscurity: - applies: + applies: False note: serial_killer: - applies: + applies: False note: environment_variables: - applies: + applies: False note: secure_by_default: - applies: + applies: False note: yagni: - applies: + applies: False note: complex_inputs: - applies: - note: + applies: True + note: | + Tool utilization not anticipated after a USB disconnect. The + ability for this input to change was not accounted for. mistakes: question: | In your opinion, after all of this research, what mistakes were made that @@ -448,7 +464,9 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + The mistake seemed to have occured due to a missed step during development or + a lapse in judgement. The inital code was simply missing a single check. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -473,5 +491,6 @@ nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: +nickname: | + Phantom USB DOS CVSS: diff --git a/cves/kernel/CVE-2019-19252.yml b/cves/kernel/CVE-2019-19252.yml index 6eb617a5c..0f9e8f25d 100644 --- a/cves/kernel/CVE-2019-19252.yml +++ b/cves/kernel/CVE-2019-19252.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that @@ -55,7 +55,9 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + In the Linux kernel through version 5.3.13, vcs_write in drivers/tty/vt/vc_screen.c + does not prevent write access to vcsu devices (CID-0c9acb1af77a). bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -90,8 +92,7 @@ fixes: note: - commit: 0c9acb1af77a3cb8707e43f45b72c95266903cee note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Manually confirmed vcc_instructions: | The vulnerability-contributing commits. @@ -105,10 +106,8 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: -- commit: fcdba07ee390d9d9c15de8b2a17baef689284fcc - note: Discovered automatically by archeogit. -- commit: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - note: Discovered automatically by archeogit. +- commit: d21b0be246bf3bbf569e6e239f56abb529c7154e + note: upvotes_instructions: | For the first round, ignore this upvotes number. @@ -116,7 +115,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 2 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -131,10 +130,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: False + code_answer: False + fix: False + fix_answer: False discovered: question: | How was this vulnerability discovered? @@ -149,10 +148,12 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: | + Reported by a user on 2019-11-04. User was fuzzing the linux kernal using Syzkaller and + discovered the vulnerability. + automated: True + contest: False + developer: False autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -169,8 +170,9 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + The vulnerability was initally discovered by a fuzzer. + answer: True specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -186,8 +188,9 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + No mention of specification violation found. + answer: False subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -221,7 +224,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: drivers note: interesting_commits: question: | @@ -253,8 +256,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: Vulnerability was caused by an unsupported opperation in vc_screen.c unicode mode. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -268,8 +271,9 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + Nature of issue is allowing write access to devices that should not be written to. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -280,8 +284,10 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + Vulnerability appears to have occured in a system that does not use IPC and + no dicussion of the issue mentions any IPC. discussion: question: | Was there any discussion surrounding this? @@ -307,9 +313,10 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: False + any_discussion: True + note: | + Not necessarily dicussed as security, but was introduced as such to the developers. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -322,8 +329,10 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + In the conversation thread, message containing commit with fix contains a "Signed-off-by" field + with a signature. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -337,9 +346,12 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: False + stacktrace_with_fix: false + note: | + Inital bug report contains call stack after bug occurence but no stacktraces. + I checked the email thread discussing the bug and its inital report and lore.kernal.org + for more information but was unable to find a stack trace. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -358,8 +370,9 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + Issue was caused by the absence of check for unicode before preforming an operation. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -371,8 +384,9 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + No code was moved for fix, only a new check was added. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -389,38 +403,40 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: False note: least_privilege: - applies: + applies: False note: frameworks_are_optional: - applies: + applies: False note: native_wrappers: - applies: + applies: False note: distrust_input: - applies: + applies: False note: security_by_obscurity: - applies: + applies: False note: serial_killer: - applies: + applies: False note: environment_variables: - applies: + applies: False note: secure_by_default: - applies: + applies: False note: yagni: - applies: + applies: False note: complex_inputs: - applies: - note: + applies: True + note: | + Complexity of inputs for this specific code led to forgetting a check. + This subsequently caused the vulnerability. mistakes: question: | In your opinion, after all of this research, what mistakes were made that @@ -450,7 +466,9 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + The mistake seemed to have occured due to a missed step during development or + a lapse in judgement. The inital code was simply missing a single check. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -475,5 +493,6 @@ nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: +nickname: | + Unsupported Unicode Writer CVSS: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H