CVE-2018-8087 and CVE-2016-4998

cves/kernel/CVE-2016-4998.yml

@@ -19,14 +19,14 @@ curated_instructions: |
   This will enable additional editorial checks on this file to make sure you
   fill everything out properly. If you are a student, we cannot accept your work
   as finished unless curated is properly updated.
-curation_level: 0
+curation_level: 2
 reported_instructions: |
   What date was the vulnerability reported to the security team? Look at the
   security bulletins and bug reports. It is not necessarily the same day that
   the CVE was created.  Leave blank if no date is given.
 
   Please enter your date in YYYY-MM-DD format.
-reported_date:
+reported_date: '2016-06-24'
 announced_instructions: |
   Was there a date that this vulnerability was announced to the world? You can
   find this in changelogs, blogs, bug reports, or perhaps the CVE date.
@@ -55,7 +55,7 @@ description_instructions: |
 
   Your target audience is people just like you before you took any course in
   security
-description:
+description: Underprivileged users were able to call a command normally limited to root. This allows for underprivileged user root access.
 bounty_instructions: |
   If you came across any indications that a bounty was paid out for this
   vulnerability, fill it out here. Or correct it if the information already here
@@ -90,8 +90,7 @@ fixes:
   note:
 - commit: 6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91
   note: |
-    Taken from NVD references list with Git commit. If you are
-    curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed'
+    Manually confirmed
 vcc_instructions: |
   The vulnerability-contributing commits.
 
@@ -114,25 +113,12 @@ upvotes_instructions: |
   upvotes to each vulnerability you see. Your peers will tell you how
   interesting they think this vulnerability is, and you'll add that to the
   upvotes score on your branch.
-upvotes:
+upvotes: 2
 unit_tested:
-  question: |
-    Were automated unit tests involved in this vulnerability?
-    Was the original code unit tested, or not unit tested? Did the fix involve
-    improving the automated tests?
-
-    For code: and fix: - your answer should be boolean.
-
-    For the code_answer below, look not only at the fix but the surrounding
-    code near the fix in related directories and determine if and was there were
-    unit tests involved for this subsystem.
-
-    For the fix_answer below, check if the fix for the vulnerability involves
-    adding or improving an automated test to ensure this doesn't happen again.
-  code:
-  code_answer:
-  fix:
-  fix_answer:
+  code: false
+  code_answer: There were no unit tests surrounding this.
+  fix: false
+  fix_answer: There were no unit tests involved in the fix.
 discovered:
   question: |
     How was this vulnerability discovered?
@@ -147,10 +133,10 @@ discovered:
 
     If there is no evidence as to how this vulnerability was found, then please
     explain where you looked.
-  answer:
-  automated:
-  contest:
-  developer:
+  answer: This vulnerability was found by using a fuzzer tool on the linux kernel.
+  automated: true
+  contest: false
+  developer: false
 autodiscoverable:
   instructions: |
     Is it plausible that a fully automated tool could have discovered
@@ -167,8 +153,8 @@ autodiscoverable:
 
     The answer field should be boolean. In answer_note, please explain
     why you come to that conclusion.
-  note:
-  answer:
+  note: This was discovered by an automated fuzzer.
+  answer: true
 specification:
   instructions: |
     Is there mention of a violation of a specification? For example, the POSIX
@@ -184,8 +170,8 @@ specification:
 
     The answer field should be boolean. In answer_note, please explain
     why you come to that conclusion.
-  note:
-  answer:
+  note: there was no violation of any standard as this was a memory spacing issue.
+  answer: false
 subsystem:
   question: |
     What subsystems was the mistake in? These are WITHIN linux kernel
@@ -219,8 +205,8 @@ subsystem:
     e.g.
         name: ["subsystemA", "subsystemB"] # ok
         name: subsystemA # also ok
-  name:
-  note:
+  name: netfilter
+  note: This bug was tagged with the netfilter subsystem multiple times.
 interesting_commits:
   question: |
     Are there any interesting commits between your VCC(s) and fix(es)?
@@ -237,49 +223,16 @@ interesting_commits:
   commits:
   - commit:
     note:
-  - commit:
-    note:
-i18n:
-  question: |
-    Was the feature impacted by this vulnerability about internationalization
-    (i18n)?
 
-    An internationalization feature is one that enables people from all
-    over the world to use the system. This includes translations, locales,
-    typography, unicode, or various other features.
-
-    Answer should be true or false
-    Write a note about how you came to the conclusions you did, regardless of
-    what your answer was.
-  answer:
-  note:
+i18n:
+  answer: false
+  note: This did not have to do with i18n as it was an issue with having access to too much memory.
 sandbox:
-  question: |
-    Did this vulnerability violate a sandboxing feature that the system
-    provides?
-
-    A sandboxing feature is one that allows files, users, or other features
-    limited access. Vulnerabilities that violate sandboxes are usually based on
-    access control, checking privileges incorrectly, path traversal, and the
-    like.
-
-    Answer should be true or false
-    Write a note about how you came to the conclusions you did, regardless of
-    what your answer was.
-  answer:
-  note:
+  answer: false
+  note: This did not violate a sandboxing feature that the system provides.
 ipc:
-  question: |
-    Did the feature that this vulnerability affected use inter-process
-    communication? IPC includes OS signals, pipes, stdin/stdout, message
-    passing, and clipboard. Writing to files that another program in this
-    software system reads is another form of IPC.
-
-    Answer must be true or false.
-    Write a note about how you came to the conclusions you did, regardless of
-    what your answer was.
-  answer:
-  note:
+  answer: false
+  note: No IPC was occuring.
 discussion:
   question: |
     Was there any discussion surrounding this?
@@ -305,9 +258,9 @@ discussion:
 
     Put any links to disagreements you found in the notes section, or any other
     comment you want to make.
-  discussed_as_security:
-  any_discussion:
-  note:
+  discussed_as_security: false
+  any_discussion: false
+  note: There was minimal discussion as this was discovered then it was immediately fixed.
 vouch:
   question: |
     Was there any part of the fix that involved one person vouching for
@@ -320,8 +273,8 @@ vouch:
 
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of what your answer was.
-  answer:
-  note:
+  answer: false
+  note: The only discussion present was during fuzzing the kernel.
 stacktrace:
   question: |
     Are there any stacktraces in the bug reports?
@@ -335,9 +288,9 @@ stacktrace:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  any_stacktraces:
-  stacktrace_with_fix:
-  note:
+  any_stacktraces: false
+  stacktrace_with_fix: false
+  note: No stacktrace as this was discovered by fuzzing and posted on a forum.
 forgotten_check:
   question: |
     Does the fix for the vulnerability involve adding a forgotten check?
@@ -356,8 +309,8 @@ forgotten_check:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: true
+  note: There was a missing check to see that the data being accessed was within the active blob.
 order_of_operations:
   question: |
     Does the fix for the vulnerability involve correcting an order of
@@ -369,8 +322,8 @@ order_of_operations:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: false
+  note: There was no order of operations involved in this vulnerability as it was just missing size check.
 lessons:
   question: |
     Are there any common lessons we have learned from class that apply to this
@@ -448,7 +401,7 @@ mistakes:
 
     Write a thoughtful entry here that people in the software engineering
     industry would find interesting.
-  answer:
+  answer: There was a forgotten check that made a small error. This mistake was most likely a lapse during development.
 CWE_instructions: |
   Please go to http://cwe.mitre.org and find the most specific, appropriate CWE
   entry that describes your vulnerability. We recommend going to
@@ -467,11 +420,10 @@ CWE_instructions: |
 CWE:
 - 119
 CWE_note: |
-  CWE as registered in the NVD. If you are curating, check that this
-  is correct and replace this comment with "Manually confirmed".
+  Manually Confirmed
 nickname_instructions: |
   A catchy name for this vulnerability that would draw attention it.
   If the report mentions a nickname, use that.
   Must be under 30 characters. Optional.
-nickname:
-CVSS:
+nickname: Out of blob memory access
+CVSS: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H