From 0c0dae5b88f4f20b30d8b50a75563729630b894c Mon Sep 17 00:00:00 2001 From: Lollygagger Date: Wed, 8 Nov 2023 17:58:32 -0500 Subject: [PATCH 1/8] CVE-2018-8087 and CVE-2016-4998 --- cves/kernel/CVE-2016-4998.yml | 2 +- cves/kernel/CVE-2018-8087.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2016-4998.yml b/cves/kernel/CVE-2016-4998.yml index 2d08eb7b9..410a7f00d 100644 --- a/cves/kernel/CVE-2016-4998.yml +++ b/cves/kernel/CVE-2016-4998.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that diff --git a/cves/kernel/CVE-2018-8087.yml b/cves/kernel/CVE-2018-8087.yml index 206159256..36cb76051 100644 --- a/cves/kernel/CVE-2018-8087.yml +++ b/cves/kernel/CVE-2018-8087.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that From 1b13733dadc81148f35e033c4fda99f1fbc33804 Mon Sep 17 00:00:00 2001 From: Lollygagger Date: Wed, 8 Nov 2023 19:14:31 -0500 Subject: [PATCH 2/8] completed CVE-2018-8087 --- cves/kernel/CVE-2018-8087.yml | 92 ++++++++++++++++------------------- 1 file changed, 43 insertions(+), 49 deletions(-) diff --git a/cves/kernel/CVE-2018-8087.yml b/cves/kernel/CVE-2018-8087.yml index 36cb76051..ee0782575 100644 --- a/cves/kernel/CVE-2018-8087.yml +++ b/cves/kernel/CVE-2018-8087.yml @@ -26,7 +26,7 @@ reported_instructions: | the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: 2018-03-13 announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,9 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: Memory leak occurred in a function used for creating a new simulated radio device as a part of wifi drivers. + This memory leak allowed for local users to cause a denial of service attack through memory consumption by triggering + an out-of-array error case. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -84,14 +86,8 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: - note: -- commit: - note: - commit: 0ddcff49b672239dda94d70d0fcf50317a9f4b51 - note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + note: Manually Confirmed vcc_instructions: | The vulnerability-contributing commits. @@ -106,11 +102,8 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 26b0e411d37a2ca5992d02884dc3fa4e1907e598 - note: Discovered automatically by archeogit. -- commit: 7882513bacb176ab4aacceefdd035ca9479da4fb - note: Discovered automatically by archeogit. -- commit: 62759361eb4929ffe692639176887020c76234a2 - note: Discovered automatically by archeogit. + note: Manually verified + upvotes_instructions: | For the first round, ignore this upvotes number. @@ -133,9 +126,9 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: + code: false code_answer: - fix: + fix: false fix_answer: discovered: question: | @@ -151,10 +144,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: This vulnerability was discovered by Sam Fowler. The thread where this was reported is https://bugzilla.redhat.com/show_bug.cgi?id=1555145 + automated: false + contest: false + developer: false autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -171,8 +164,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: Vulnerability was created by forgetting to free memory. This could have been found by automated memory leak checking software. + answer: true specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -189,7 +182,7 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: - answer: + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -223,8 +216,10 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: - note: + name: [drivers, mac80211] + note: I believe that the subsystem that this error takes place in is drivers because it took place within a + subdirectory of drivers. I believe that this specifically had to do with mac80211 because the error was made within + mac80211.c. interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -241,8 +236,7 @@ interesting_commits: commits: - commit: note: - - commit: - note: + i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -255,8 +249,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: Internationalization was not involved since this vulnerability was due to a simple memory leak. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -270,8 +264,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: Since this error was simply forgetting to free memory it did not violate a sandbox feature that the system provides ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -282,8 +276,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: Since this error was simply forgetting to free memory it was not affecting inter-process communication. discussion: question: | Was there any discussion surrounding this? @@ -309,8 +303,8 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: + discussed_as_security: false + any_discussion: false note: vouch: question: | @@ -324,8 +318,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: Since this error was simply forgetting to free memory no one was vouching stacktrace: question: | Are there any stacktraces in the bug reports? @@ -339,9 +333,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: no stack traces were found on the report or on the fixing commit forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -360,8 +354,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: Since this error was simply forgetting to free memory there was no forgotten check order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -373,8 +367,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: Since this error was simply forgetting to free memory there was no order of operations error lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -452,7 +446,8 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: The primary mistake that was made was a simple lapse that occurred while the developer was writing this software. + The developer simply forgot to free memory. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -471,11 +466,10 @@ CWE_instructions: | CWE: - 772 CWE_note: | - CWE as registered in the NVD. If you are curating, check that this - is correct and replace this comment with "Manually confirmed". + Manually Confirmed nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: -CVSS: +nickname: Denial of Service through memory leak in hwsim_new_radio_nl function in drivers/net/wireless/mac80211_hwsim.c +CVSS: 5 From fc9c5925cfc420e7c4ffec58c4c80aa9e78415f0 Mon Sep 17 00:00:00 2001 From: Lollygagger Date: Wed, 8 Nov 2023 19:31:11 -0500 Subject: [PATCH 3/8] removed curation_level to check if cve-2018-8087 passed yaml checks --- cves/kernel/CVE-2016-4998.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2016-4998.yml b/cves/kernel/CVE-2016-4998.yml index 410a7f00d..2d08eb7b9 100644 --- a/cves/kernel/CVE-2016-4998.yml +++ b/cves/kernel/CVE-2016-4998.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 2 +curation_level: 0 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that From fe220ce3b54e147146bbd8a8a97d7ef8f8046667 Mon Sep 17 00:00:00 2001 From: Lollygagger Date: Wed, 8 Nov 2023 19:38:49 -0500 Subject: [PATCH 4/8] resolving yaml errors with first vulnerabilitiy --- cves/kernel/CVE-2018-8087.yml | 33 +++------------------------------ 1 file changed, 3 insertions(+), 30 deletions(-) diff --git a/cves/kernel/CVE-2018-8087.yml b/cves/kernel/CVE-2018-8087.yml index ee0782575..293e2a37d 100644 --- a/cves/kernel/CVE-2018-8087.yml +++ b/cves/kernel/CVE-2018-8087.yml @@ -181,7 +181,7 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: + note: no issues in specifications answer: false subsystem: question: | @@ -305,7 +305,7 @@ discussion: comment you want to make. discussed_as_security: false any_discussion: false - note: + note: no disagreements vouch: question: | Was there any part of the fix that involved one person vouching for @@ -337,36 +337,9 @@ stacktrace: stacktrace_with_fix: false note: no stack traces were found on the report or on the fixing commit forgotten_check: - question: | - Does the fix for the vulnerability involve adding a forgotten check? - - A "forgotten check" can mean many things. It often manifests as the fix - inserting an entire if-statement or a conditional to an existing - if-statement. Or a call to a method that checks something. - - Example of checks can include: - * null pointer checks - * check the current role, e.g. root - * boundary checks for a number - * consult file permissions - * check a return value - - Answer must be true or false. - Write a note about how you came to the conclusions you did, regardless of - what your answer was. answer: false note: Since this error was simply forgetting to free memory there was no forgotten check order_of_operations: - question: | - Does the fix for the vulnerability involve correcting an order of - operations? - - This means the fix involves moving code around or changing the order of - how things are done. - - Answer must be true or false. - Write a note about how you came to the conclusions you did, regardless of - what your answer was. answer: false note: Since this error was simply forgetting to free memory there was no order of operations error lessons: @@ -471,5 +444,5 @@ nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: Denial of Service through memory leak in hwsim_new_radio_nl function in drivers/net/wireless/mac80211_hwsim.c +nickname: Denial of Service through memory leak in hwsim_new_radio_nl CVSS: 5 From 0f1fe756591c68bae128027ecf459f01962bb223 Mon Sep 17 00:00:00 2001 From: Lollygagger Date: Wed, 8 Nov 2023 19:42:04 -0500 Subject: [PATCH 5/8] finished resolving errors with cve-2018-8087 --- cves/kernel/CVE-2018-8087.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2018-8087.yml b/cves/kernel/CVE-2018-8087.yml index 293e2a37d..4f5af5380 100644 --- a/cves/kernel/CVE-2018-8087.yml +++ b/cves/kernel/CVE-2018-8087.yml @@ -444,5 +444,5 @@ nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: Denial of Service through memory leak in hwsim_new_radio_nl -CVSS: 5 +nickname: DOS from memory leak +CVSS: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H From 038a2b6a3254954d379bef401facc058f5cd7839 Mon Sep 17 00:00:00 2001 From: Lollygagger Date: Thu, 9 Nov 2023 22:33:14 -0500 Subject: [PATCH 6/8] 2016-4998 --- cves/kernel/CVE-2016-4998.yml | 77 +++++++++++++++++------------------ cves/kernel/CVE-2018-8087.yml | 2 +- 2 files changed, 38 insertions(+), 41 deletions(-) diff --git a/cves/kernel/CVE-2016-4998.yml b/cves/kernel/CVE-2016-4998.yml index 2d08eb7b9..206c3f534 100644 --- a/cves/kernel/CVE-2016-4998.yml +++ b/cves/kernel/CVE-2016-4998.yml @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2016-06-24' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,7 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: underprivileged users were able to call a command normally limited to root. This allows for underprivileged user root access. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -90,8 +90,7 @@ fixes: note: - commit: 6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91 note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Manually confirmed vcc_instructions: | The vulnerability-contributing commits. @@ -129,10 +128,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: there were no unit tests surrounding thi + fix: false + fix_answer: There were no unit tests involved in the fix discovered: question: | How was this vulnerability discovered? @@ -147,10 +146,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: This vulnerability was found by using a fuzzer tool on the linux kernel + automated: true + contest: false + developer: false autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -167,8 +166,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: This was discovered by an automated fuzzer + answer: true specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -184,8 +183,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: there was no violation of any standard as this was a memory spacing issue. + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -219,7 +218,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: netfilter note: interesting_commits: question: | @@ -237,8 +236,7 @@ interesting_commits: commits: - commit: note: - - commit: - note: + i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -251,8 +249,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: This did not have to do with i18n as it was an issue with having access to too much memory sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -266,7 +264,7 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: + answer: false note: ipc: question: | @@ -278,7 +276,7 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: + answer: false note: discussion: question: | @@ -305,9 +303,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: false + any_discussion: false + note: there was minimal discussion as this was discovered then immediately fixed vouch: question: | Was there any part of the fix that involved one person vouching for @@ -320,8 +318,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: the only discussion present was during fuzzing the kernel. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -335,9 +333,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: no stacktrace as this was discovered by fuzzing and posted on a forum. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -356,8 +354,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: there was a missing check to see that the data being accessed was within the active blob order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -369,7 +367,7 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: + answer: false note: lessons: question: | @@ -448,7 +446,7 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: There was a forgotten check that made a small error. This mistake was most likely a lapse during development CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -467,11 +465,10 @@ CWE_instructions: | CWE: - 119 CWE_note: | - CWE as registered in the NVD. If you are curating, check that this - is correct and replace this comment with "Manually confirmed". + manually confirmed nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: -CVSS: +nickname: out of blob memory access +CVSS: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H diff --git a/cves/kernel/CVE-2018-8087.yml b/cves/kernel/CVE-2018-8087.yml index 4f5af5380..bd5b750d3 100644 --- a/cves/kernel/CVE-2018-8087.yml +++ b/cves/kernel/CVE-2018-8087.yml @@ -26,7 +26,7 @@ reported_instructions: | the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: 2018-03-13 +reported_date: '2018-03-13' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. From ecb8a287ee2f0ddd0b837672dc5dd5a532acdd13 Mon Sep 17 00:00:00 2001 From: Lollygagger Date: Thu, 9 Nov 2023 22:37:14 -0500 Subject: [PATCH 7/8] changes to satisfy yaml formatting: --- cves/kernel/CVE-2016-4998.yml | 49 ++--------------------------------- 1 file changed, 2 insertions(+), 47 deletions(-) diff --git a/cves/kernel/CVE-2016-4998.yml b/cves/kernel/CVE-2016-4998.yml index 206c3f534..47a69cbfa 100644 --- a/cves/kernel/CVE-2016-4998.yml +++ b/cves/kernel/CVE-2016-4998.yml @@ -115,19 +115,6 @@ upvotes_instructions: | upvotes score on your branch. upvotes: unit_tested: - question: | - Were automated unit tests involved in this vulnerability? - Was the original code unit tested, or not unit tested? Did the fix involve - improving the automated tests? - - For code: and fix: - your answer should be boolean. - - For the code_answer below, look not only at the fix but the surrounding - code near the fix in related directories and determine if and was there were - unit tests involved for this subsystem. - - For the fix_answer below, check if the fix for the vulnerability involves - adding or improving an automated test to ensure this doesn't happen again. code: false code_answer: there were no unit tests surrounding thi fix: false @@ -238,46 +225,14 @@ interesting_commits: note: i18n: - question: | - Was the feature impacted by this vulnerability about internationalization - (i18n)? - - An internationalization feature is one that enables people from all - over the world to use the system. This includes translations, locales, - typography, unicode, or various other features. - - Answer should be true or false - Write a note about how you came to the conclusions you did, regardless of - what your answer was. answer: false note: This did not have to do with i18n as it was an issue with having access to too much memory sandbox: - question: | - Did this vulnerability violate a sandboxing feature that the system - provides? - - A sandboxing feature is one that allows files, users, or other features - limited access. Vulnerabilities that violate sandboxes are usually based on - access control, checking privileges incorrectly, path traversal, and the - like. - - Answer should be true or false - Write a note about how you came to the conclusions you did, regardless of - what your answer was. answer: false - note: + note: This did not violate a sandboxing feature that the system provides ipc: - question: | - Did the feature that this vulnerability affected use inter-process - communication? IPC includes OS signals, pipes, stdin/stdout, message - passing, and clipboard. Writing to files that another program in this - software system reads is another form of IPC. - - Answer must be true or false. - Write a note about how you came to the conclusions you did, regardless of - what your answer was. answer: false - note: + note: no IPC was occuring. discussion: question: | Was there any discussion surrounding this? From 8e09f60b07d02f9218fd406553837e18cfcf91e2 Mon Sep 17 00:00:00 2001 From: Lollygagger Date: Wed, 15 Nov 2023 15:29:49 -0500 Subject: [PATCH 8/8] Updates from feedback on PR --- cves/kernel/CVE-2016-4998.yml | 36 +++++++++++++++++------------------ cves/kernel/CVE-2018-8087.yml | 10 +++++----- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/cves/kernel/CVE-2016-4998.yml b/cves/kernel/CVE-2016-4998.yml index 47a69cbfa..75f2a7ccc 100644 --- a/cves/kernel/CVE-2016-4998.yml +++ b/cves/kernel/CVE-2016-4998.yml @@ -55,7 +55,7 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: underprivileged users were able to call a command normally limited to root. This allows for underprivileged user root access. +description: Underprivileged users were able to call a command normally limited to root. This allows for underprivileged user root access. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -113,12 +113,12 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 2 unit_tested: code: false - code_answer: there were no unit tests surrounding thi + code_answer: There were no unit tests surrounding this. fix: false - fix_answer: There were no unit tests involved in the fix + fix_answer: There were no unit tests involved in the fix. discovered: question: | How was this vulnerability discovered? @@ -133,7 +133,7 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: This vulnerability was found by using a fuzzer tool on the linux kernel + answer: This vulnerability was found by using a fuzzer tool on the linux kernel. automated: true contest: false developer: false @@ -153,7 +153,7 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: This was discovered by an automated fuzzer + note: This was discovered by an automated fuzzer. answer: true specification: instructions: | @@ -206,7 +206,7 @@ subsystem: name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok name: netfilter - note: + note: This bug was tagged with the netfilter subsystem multiple times. interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -226,13 +226,13 @@ interesting_commits: i18n: answer: false - note: This did not have to do with i18n as it was an issue with having access to too much memory + note: This did not have to do with i18n as it was an issue with having access to too much memory. sandbox: answer: false - note: This did not violate a sandboxing feature that the system provides + note: This did not violate a sandboxing feature that the system provides. ipc: answer: false - note: no IPC was occuring. + note: No IPC was occuring. discussion: question: | Was there any discussion surrounding this? @@ -260,7 +260,7 @@ discussion: comment you want to make. discussed_as_security: false any_discussion: false - note: there was minimal discussion as this was discovered then immediately fixed + note: There was minimal discussion as this was discovered then it was immediately fixed. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -274,7 +274,7 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: the only discussion present was during fuzzing the kernel. + note: The only discussion present was during fuzzing the kernel. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -290,7 +290,7 @@ stacktrace: what your answer was. any_stacktraces: false stacktrace_with_fix: false - note: no stacktrace as this was discovered by fuzzing and posted on a forum. + note: No stacktrace as this was discovered by fuzzing and posted on a forum. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -310,7 +310,7 @@ forgotten_check: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true - note: there was a missing check to see that the data being accessed was within the active blob + note: There was a missing check to see that the data being accessed was within the active blob. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -323,7 +323,7 @@ order_of_operations: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: + note: There was no order of operations involved in this vulnerability as it was just missing size check. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -401,7 +401,7 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: There was a forgotten check that made a small error. This mistake was most likely a lapse during development + answer: There was a forgotten check that made a small error. This mistake was most likely a lapse during development. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -420,10 +420,10 @@ CWE_instructions: | CWE: - 119 CWE_note: | - manually confirmed + Manually Confirmed nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: out of blob memory access +nickname: Out of blob memory access CVSS: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H diff --git a/cves/kernel/CVE-2018-8087.yml b/cves/kernel/CVE-2018-8087.yml index bd5b750d3..63e602c95 100644 --- a/cves/kernel/CVE-2018-8087.yml +++ b/cves/kernel/CVE-2018-8087.yml @@ -265,7 +265,7 @@ sandbox: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: Since this error was simply forgetting to free memory it did not violate a sandbox feature that the system provides + note: Since this error was simply forgetting to free memory it did not violate a sandbox feature that the system provides. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -305,7 +305,7 @@ discussion: comment you want to make. discussed_as_security: false any_discussion: false - note: no disagreements + note: No disagreements. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -319,7 +319,7 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: Since this error was simply forgetting to free memory no one was vouching + note: Since this error was simply forgetting to free memory no one was vouching. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -338,10 +338,10 @@ stacktrace: note: no stack traces were found on the report or on the fixing commit forgotten_check: answer: false - note: Since this error was simply forgetting to free memory there was no forgotten check + note: Since this error was simply forgetting to free memory there was no forgotten check. order_of_operations: answer: false - note: Since this error was simply forgetting to free memory there was no order of operations error + note: Since this error was simply forgetting to free memory there was no order of operations error. lessons: question: | Are there any common lessons we have learned from class that apply to this