From 3844d2b625df5cb8487690e3348d66a69fc2a533 Mon Sep 17 00:00:00 2001 From: Phil Ganem Date: Tue, 7 Nov 2023 16:14:12 -0500 Subject: [PATCH 01/12] curatoin_level --- cves/kernel/CVE-2013-1774.yml | 2 +- cves/kernel/CVE-2019-19252.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2013-1774.yml b/cves/kernel/CVE-2013-1774.yml index 59b972b33..fcf41a6e0 100644 --- a/cves/kernel/CVE-2013-1774.yml +++ b/cves/kernel/CVE-2013-1774.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that diff --git a/cves/kernel/CVE-2019-19252.yml b/cves/kernel/CVE-2019-19252.yml index 6eb617a5c..90a52131e 100644 --- a/cves/kernel/CVE-2019-19252.yml +++ b/cves/kernel/CVE-2019-19252.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that From dce05ad3e614b3f49d4be9de6b4c9f2115e0d332 Mon Sep 17 00:00:00 2001 From: Phil Ganem Date: Tue, 7 Nov 2023 16:38:10 -0500 Subject: [PATCH 02/12] CVE-2019-19252 desc --- cves/kernel/CVE-2019-19252.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2019-19252.yml b/cves/kernel/CVE-2019-19252.yml index 90a52131e..c2f21a178 100644 --- a/cves/kernel/CVE-2019-19252.yml +++ b/cves/kernel/CVE-2019-19252.yml @@ -55,7 +55,8 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here From 6ee4a907a986b3abba6c69a095b461dd0d1ccaa8 Mon Sep 17 00:00:00 2001 From: Phil Ganem Date: Tue, 7 Nov 2023 18:11:19 -0500 Subject: [PATCH 03/12] CVE-2019-19252 filled out aside from lessons --- cves/kernel/CVE-2019-19252.yml | 89 +++++++++++++++++++--------------- 1 file changed, 51 insertions(+), 38 deletions(-) diff --git a/cves/kernel/CVE-2019-19252.yml b/cves/kernel/CVE-2019-19252.yml index c2f21a178..5ead068eb 100644 --- a/cves/kernel/CVE-2019-19252.yml +++ b/cves/kernel/CVE-2019-19252.yml @@ -56,7 +56,8 @@ description_instructions: | Your target audience is people just like you before you took any course in security description: | - + In the Linux kernel through version 5.3.13, vcs_write in drivers/tty/vt/vc_screen.c + does not prevent write access to vcsu devices (CID-0c9acb1af77a). bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -91,8 +92,7 @@ fixes: note: - commit: 0c9acb1af77a3cb8707e43f45b72c95266903cee note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Manually confirmed vcc_instructions: | The vulnerability-contributing commits. @@ -106,10 +106,8 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: -- commit: fcdba07ee390d9d9c15de8b2a17baef689284fcc - note: Discovered automatically by archeogit. -- commit: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - note: Discovered automatically by archeogit. +- commit: d21b0be246bf3bbf569e6e239f56abb529c7154e + note: upvotes_instructions: | For the first round, ignore this upvotes number. @@ -132,10 +130,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: False + code_answer: False + fix: False + fix_answer: False discovered: question: | How was this vulnerability discovered? @@ -150,10 +148,12 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: | + Reported by a user on 2019-11-04. User was fuzzing the linux kernal using Syzkaller and + discovered the vulnerability. + automated: True + contest: False + developer: False autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -170,8 +170,9 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + The vulnerability was initally discovered by a fuzzer. + answer: True specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -187,8 +188,9 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + No mention of specification violation found. + answer: False subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -222,7 +224,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: drivers note: interesting_commits: question: | @@ -254,8 +256,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: Vulnerability was caused by an unsupported opperation in vc_screen.c unicode mode. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -269,8 +271,9 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + Nature of issue is allowing write access to devices that should not be written to. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -281,8 +284,10 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + Vulnerability appears to have occured in a system that does not use IPC and + no dicussion of the issue mentions any IPC. discussion: question: | Was there any discussion surrounding this? @@ -308,9 +313,10 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: False + any_discussion: True + note: | + Not necessarily dicussed as security, but was introduced as such to the developers. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -323,8 +329,10 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + In the conversation thread, message containing commit with fix contains a "Signed-off-by" field + with a signature. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -338,9 +346,12 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: False + stacktrace_with_fix: false + note: | + Inital bug report contains call stack after bug occurence but no stacktraces. + I checked the email thread discussing the bug and its inital report and lore.kernal.org + for more information but was unable to find a stack trace. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -359,8 +370,9 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + Issue was caused by the absence of check for unicode before preforming an operation. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -372,8 +384,9 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + No code was moved for fix, only a new check was added. lessons: question: | Are there any common lessons we have learned from class that apply to this From 89d37b5f56c6c83062c5cb5391d6b2774d860687 Mon Sep 17 00:00:00 2001 From: Phil Ganem Date: Tue, 7 Nov 2023 22:48:11 -0500 Subject: [PATCH 04/12] CVE-2013-1774 done --- cves/kernel/CVE-2013-1774.yml | 81 ++++++++++++++++++++--------------- 1 file changed, 46 insertions(+), 35 deletions(-) diff --git a/cves/kernel/CVE-2013-1774.yml b/cves/kernel/CVE-2013-1774.yml index fcf41a6e0..1d5784c12 100644 --- a/cves/kernel/CVE-2013-1774.yml +++ b/cves/kernel/CVE-2013-1774.yml @@ -55,7 +55,11 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + In the Linux kernel, the chase_port function in drivers/usb/serial/io_ti.c + allowed local users to cause a denial of service via a NULL pointer dereference and + system crash. This occurred after an attempted /dev/ttyUSB read or write + operation on a disconnected Edgeport USB serial converter. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -88,10 +92,9 @@ fixes: note: - commit: note: -- commit: 1ee0a224bc9aad1de496c795f96bc6ba2c394811 +- commit: 1ee0a224bc9aad1de496c795f96bc6ba2c394811 note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Manually confirmed vcc_instructions: | The vulnerability-contributing commits. @@ -129,10 +132,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: False + code_answer: False + fix: False + fix_answer: False discovered: question: | How was this vulnerability discovered? @@ -147,10 +150,11 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: | + Discovered on 2013-02-27 by a Redhat employee. + automated: nil + contest: False + developer: True autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -167,8 +171,11 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + The vulnerability is caused entirely by a null pointer reference to a peripheral. + In theory it might be possible to discover it with a tool but you would have to be + manually involved in the process (ie disconnect the peripheral while tool is running). + answer: False specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -184,8 +191,9 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: False + answer: | + Could not find reference to a specification that had been violated. subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -219,8 +227,8 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: - note: + name: drivers + note: interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -251,8 +259,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: The vulnerability is caused by a null pointer to a perpheral reference. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -266,8 +274,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: The vulnerability does not allow for access to limited access content. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -278,8 +286,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: The vulnerability is solely caused by a NULL pointer. discussion: question: | Was there any discussion surrounding this? @@ -305,8 +313,8 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: + discussed_as_security: true + any_discussion: true note: vouch: question: | @@ -320,8 +328,9 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + Commit was signed off by two people. Can be found on git.kernel.org. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -335,9 +344,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: False + stacktrace_with_fix: False + note: No stack trace(s) provided in online discussion of bug. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -356,8 +365,9 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + The fix was adding a NULL pointer check. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -369,8 +379,9 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + The fix involved adding a new check, not moving existing code around. lessons: question: | Are there any common lessons we have learned from class that apply to this From eb0a85cdb2889ae29760d2ff3fa671f65a7d4097 Mon Sep 17 00:00:00 2001 From: Phil Ganem Date: Tue, 7 Nov 2023 23:03:45 -0500 Subject: [PATCH 05/12] Remaining steps --- cves/kernel/CVE-2013-1774.yml | 9 ++++++--- cves/kernel/CVE-2019-19252.yml | 4 +++- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/cves/kernel/CVE-2013-1774.yml b/cves/kernel/CVE-2013-1774.yml index 1d5784c12..a5b29eecd 100644 --- a/cves/kernel/CVE-2013-1774.yml +++ b/cves/kernel/CVE-2013-1774.yml @@ -152,7 +152,7 @@ discovered: explain where you looked. answer: | Discovered on 2013-02-27 by a Redhat employee. - automated: nil + automated: False contest: False developer: True autodiscoverable: @@ -346,7 +346,8 @@ stacktrace: what your answer was. any_stacktraces: False stacktrace_with_fix: False - note: No stack trace(s) provided in online discussion of bug. + note: | + No stack trace(s) provided in online discussion of bug. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -459,7 +460,9 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + The mistake seemed to have occured due to a missed step during development or + a lapse in judgement. The inital code was simply missing a single check. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to diff --git a/cves/kernel/CVE-2019-19252.yml b/cves/kernel/CVE-2019-19252.yml index 5ead068eb..eddf00fd2 100644 --- a/cves/kernel/CVE-2019-19252.yml +++ b/cves/kernel/CVE-2019-19252.yml @@ -464,7 +464,9 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + The mistake seemed to have occured due to a missed step during development or + a lapse in judgement. The inital code was simply missing a single check. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to From 4f02bf13028ebb148696a4574b2ab8a0811b5595 Mon Sep 17 00:00:00 2001 From: Phil Ganem Date: Tue, 7 Nov 2023 23:08:37 -0500 Subject: [PATCH 06/12] Fixed bool --- cves/kernel/CVE-2013-1774.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/cves/kernel/CVE-2013-1774.yml b/cves/kernel/CVE-2013-1774.yml index a5b29eecd..064a589cf 100644 --- a/cves/kernel/CVE-2013-1774.yml +++ b/cves/kernel/CVE-2013-1774.yml @@ -313,9 +313,10 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: true - any_discussion: true - note: + discussed_as_security: True + any_discussion: True + note: | + No public disagreements found. vouch: question: | Was there any part of the fix that involved one person vouching for From 6349e7fc6674a756da7b4da8fcd241bc1bd2106a Mon Sep 17 00:00:00 2001 From: Phil Ganem Date: Tue, 7 Nov 2023 23:18:25 -0500 Subject: [PATCH 07/12] fixed yml formatting error --- cves/kernel/CVE-2013-1774.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/cves/kernel/CVE-2013-1774.yml b/cves/kernel/CVE-2013-1774.yml index 064a589cf..1989b2868 100644 --- a/cves/kernel/CVE-2013-1774.yml +++ b/cves/kernel/CVE-2013-1774.yml @@ -109,7 +109,8 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - note: Discovered automatically by archeogit. + note: | + Discovered automatically by archeogit. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -151,7 +152,7 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. answer: | - Discovered on 2013-02-27 by a Redhat employee. + Discovered on 2013-02-27 by a Redhat employee. automated: False contest: False developer: True @@ -191,9 +192,9 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: False - answer: | + note: | Could not find reference to a specification that had been violated. + answer: False subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel From 6768b7dec8d3e07f2318997e0519bcd9f980732a Mon Sep 17 00:00:00 2001 From: Phil Ganem Date: Tue, 7 Nov 2023 23:22:43 -0500 Subject: [PATCH 08/12] Yet another yml language error --- cves/kernel/CVE-2013-1774.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2013-1774.yml b/cves/kernel/CVE-2013-1774.yml index 1989b2868..1e02d2e7d 100644 --- a/cves/kernel/CVE-2013-1774.yml +++ b/cves/kernel/CVE-2013-1774.yml @@ -110,7 +110,7 @@ vcc_instructions: | vccs: - commit: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 note: | - Discovered automatically by archeogit. + Discovered automatically by archeogit. upvotes_instructions: | For the first round, ignore this upvotes number. From cf199889bfaa916cb1ae3051fbb62ba0188af1fc Mon Sep 17 00:00:00 2001 From: Phil Ganem Date: Wed, 8 Nov 2023 11:03:08 -0500 Subject: [PATCH 09/12] lessons --- cves/kernel/CVE-2013-1774.yml | 28 +++++++++++++++------------- cves/kernel/CVE-2019-19252.yml | 26 ++++++++++++++------------ 2 files changed, 29 insertions(+), 25 deletions(-) diff --git a/cves/kernel/CVE-2013-1774.yml b/cves/kernel/CVE-2013-1774.yml index 1989b2868..7aaba59a0 100644 --- a/cves/kernel/CVE-2013-1774.yml +++ b/cves/kernel/CVE-2013-1774.yml @@ -110,7 +110,7 @@ vcc_instructions: | vccs: - commit: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 note: | - Discovered automatically by archeogit. + Discovered automatically by archeogit. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -401,38 +401,40 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: False note: least_privilege: - applies: + applies: False note: frameworks_are_optional: - applies: + applies: False note: native_wrappers: - applies: + applies: False note: distrust_input: - applies: + applies: False note: security_by_obscurity: - applies: + applies: False note: serial_killer: - applies: + applies: False note: environment_variables: - applies: + applies: False note: secure_by_default: - applies: + applies: False note: yagni: - applies: + applies: False note: complex_inputs: - applies: - note: + applies: True + note: | + Tool utilization not anticipated after a USB disconnect. The + ability for this input to change was not accounted for. mistakes: question: | In your opinion, after all of this research, what mistakes were made that diff --git a/cves/kernel/CVE-2019-19252.yml b/cves/kernel/CVE-2019-19252.yml index eddf00fd2..b96cc3446 100644 --- a/cves/kernel/CVE-2019-19252.yml +++ b/cves/kernel/CVE-2019-19252.yml @@ -403,38 +403,40 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: False note: least_privilege: - applies: + applies: False note: frameworks_are_optional: - applies: + applies: False note: native_wrappers: - applies: + applies: False note: distrust_input: - applies: + applies: False note: security_by_obscurity: - applies: + applies: False note: serial_killer: - applies: + applies: False note: environment_variables: - applies: + applies: False note: secure_by_default: - applies: + applies: False note: yagni: - applies: + applies: False note: complex_inputs: - applies: - note: + applies: True + note: | + Complexity of inputs for this specific code led to forgetting a check. + This subsequently caused the vulnerability. mistakes: question: | In your opinion, after all of this research, what mistakes were made that From ac58b26d00b03017e31a61f7e05b51f8ebe5c544 Mon Sep 17 00:00:00 2001 From: Phil Ganem Date: Wed, 8 Nov 2023 11:27:29 -0500 Subject: [PATCH 10/12] Nicknames --- cves/kernel/CVE-2013-1774.yml | 3 ++- cves/kernel/CVE-2019-19252.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2013-1774.yml b/cves/kernel/CVE-2013-1774.yml index 7aaba59a0..d7530ea67 100644 --- a/cves/kernel/CVE-2013-1774.yml +++ b/cves/kernel/CVE-2013-1774.yml @@ -491,5 +491,6 @@ nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: +nickname: | + Phantom USB DOS CVSS: diff --git a/cves/kernel/CVE-2019-19252.yml b/cves/kernel/CVE-2019-19252.yml index b96cc3446..968ad1208 100644 --- a/cves/kernel/CVE-2019-19252.yml +++ b/cves/kernel/CVE-2019-19252.yml @@ -493,5 +493,6 @@ nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: +nickname: | + Unsupported Unicode Writer CVSS: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H From 1c21f66534a3ad37f7e368ad2a98d3a1a5143a95 Mon Sep 17 00:00:00 2001 From: Phil Ganem Date: Tue, 14 Nov 2023 22:05:20 -0500 Subject: [PATCH 11/12] CVE-2013-1774.yml upvotes --- cves/kernel/CVE-2013-1774.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2013-1774.yml b/cves/kernel/CVE-2013-1774.yml index d7530ea67..40c15eb6c 100644 --- a/cves/kernel/CVE-2013-1774.yml +++ b/cves/kernel/CVE-2013-1774.yml @@ -118,7 +118,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 1 unit_tested: question: | Were automated unit tests involved in this vulnerability? From c50a894703ec75f978db4a3a400f985c502fd12e Mon Sep 17 00:00:00 2001 From: Phil Ganem Date: Tue, 14 Nov 2023 22:05:49 -0500 Subject: [PATCH 12/12] CVE-2019-19252.yml upvotes --- cves/kernel/CVE-2019-19252.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2019-19252.yml b/cves/kernel/CVE-2019-19252.yml index 968ad1208..0f9e8f25d 100644 --- a/cves/kernel/CVE-2019-19252.yml +++ b/cves/kernel/CVE-2019-19252.yml @@ -115,7 +115,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 2 unit_tested: question: | Were automated unit tests involved in this vulnerability?