Merge ~emitorino/ubuntu-cve-tracker:update_usn_guidelines into ubuntu-cve-tracker:master
- Git
- lp:~emitorino/ubuntu-cve-tracker
- update_usn_guidelines
- Merge into master
Status: | Merged |
---|---|
Merge reported by: | Emilia Torino |
Merged at revision: | 70556635c4c68955c8a64024b6112dd305649a07 |
Proposed branch: | ~emitorino/ubuntu-cve-tracker:update_usn_guidelines |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
334 lines (+202/-59) 1 file modified
README.usn (+202/-59) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Alex Murray | Approve | ||
Review via email: mp+424702@code.launchpad.net |
Commit message
- README.usn: Add further USN guidelines
Description of the change
Every day the security team creates USNs and is very important to keep a consistent voice and feel for the benefit of our users.
The updates added to README.usn aim consolidate general rules and guidelines to make sure we achieve such goal.
- 7df6470... by Emilia Torino
-
Explaining README sections
Signed-off-by: Maria Emilia Torino <email address hidden>
Spyros Seimenis (sespiros) wrote : | # |
LGTM! (minor typo)
- 38cd43a... by Emilia Torino
-
Fixing typo
Signed-off-by: Maria Emilia Torino <email address hidden>
Emilia Torino (emitorino) wrote : | # |
> LGTM! (minor typo)
Fixed. Thanks!
Mark Esler (eslerm) wrote : | # |
This looks great! I learned a lot and will use it as a reference often.
Here are minor suggestions:
Line 27: use "nickname" and "organization" instead of abbreviations.
Line 35: "isummary" perhaps a typo?
Line 77: I'd depoliticize the `woke` list by changing that filename to `inclusivity`, but that's another topic.
Lines 86, 317, and 319: `id est` and `example given` syntax inconsistency. Most of the document uses the form `i.e.` or `e.g.`. I'd choose one of the two syntax's.
Mark Esler (eslerm) wrote : | # |
adding inline comments for above
- 7055663... by Emilia Torino
-
Adding further MP suggestions
Signed-off-by: Maria Emilia Torino <email address hidden>
Emilia Torino (emitorino) wrote : | # |
Adding Mark's suggestions.
Emilia Torino (emitorino) wrote : | # |
> This looks great! I learned a lot and will use it as a reference often.
>
> Here are minor suggestions:
>
> Line 27: use "nickname" and "organization" instead of abbreviations.
>
> Line 35: "isummary" perhaps a typo?
>
> Line 77: I'd depoliticize the `woke` list by changing that filename to
> `inclusivity`, but that's another topic.
>
> Lines 86, 317, and 319: `id est` and `example given` syntax inconsistency.
> Most of the document uses the form `i.e.` or `e.g.`. I'd choose one of the two
> syntax's.
Thanks a lot for the suggestions!
Preview Diff
1 | diff --git a/README.usn b/README.usn |
2 | index 6d7393d..ac8156f 100644 |
3 | --- a/README.usn |
4 | +++ b/README.usn |
5 | @@ -1,52 +1,210 @@ |
6 | -USNs need a consistent feel. Eg: |
7 | +USNs need a consistent voice and feel for the benefit of our users. |
8 | + |
9 | +This document consolidates rules, guidelines and examples applying to USN |
10 | +sections. |
11 | + |
12 | +* General rules for the description |
13 | + |
14 | +For every CVE involved in the USN, the description should be like: |
15 | |
16 | [<name> discovered that <pkg>....] <problem>. <kinds of exploits possible>. |
17 | -Spell out things like denial of service. Avoid non-inclusive terms and |
18 | -phrases like man in the middle or blacklist/whitelist. |
19 | -(CVE-XXXX-XXXX) -- only if multiple CVEs |
20 | +<result> |
21 | + |
22 | +The first sentence explains the problem in the package. The second one explains |
23 | +how an attacker could possibly exploit such problem, resulting in a security |
24 | +issue. |
25 | + |
26 | +** Discoverer |
27 | +For the discoverer <name>, check $UCT for the Discovered-by field. If it’s |
28 | +empty, look for the discoverer in bugs, patches, etc. We only use real names |
29 | +(not nicknames or organizations) in credits and be aware that the patch |
30 | +supplier is not always the discoverer. If there is no discoverer available, |
31 | +simply use: "It was discovered that <pkg> ..." |
32 | + |
33 | +** Affected packages |
34 | +For <pkg>, use the upstream package name in the title, description and |
35 | +isummary (issue summary) sections. This not always matches with the ubuntu |
36 | +source package name being patched. Only mention the package name, not affected |
37 | +versions. |
38 | + |
39 | +Make sure the source package description was properly set for every affected |
40 | +release (i.e. the value for the usn.py --source-description argument in the |
41 | +generated usn shell script is set). If it was not automatically populated, make |
42 | +sure the source package is present in $UCT/meta_list/package_info_overrides.json |
43 | +and add it if it is not. |
44 | |
45 | -Write one paragraph for each CVE or, if the description is identical for |
46 | -multiple CVEs, consolidate and list the CVEs in the brackets. Don’t include the |
47 | -CVE number if there is only one CVE being fixed or if all the CVEs share a |
48 | -description. |
49 | +** CVEs references |
50 | +If the USN involves multiple CVEs, write one paragraph for each one. Add |
51 | +(CVE-XXXX-XXXX) at the end of each description, after the final dot. |
52 | + |
53 | +If the description is identical for multiple CVEs, consolidate all into one |
54 | +paragraph and list the CVEs in the brackets. e.g. (CVE-XXXX-XXXX, CVE-XXXX-XXXY) |
55 | + |
56 | +If there is only one CVE being fixed, do not add the CVE number. |
57 | |
58 | If a CVE only affected some of the releases mentioned in the USN, suffix the |
59 | paragraph with the sentence `This issue only affected <releases>.`, e.g.: |
60 | Ubuntu 16.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. |
61 | |
62 | -For the discoverer <name>, check $UCT for the Discovered-by field. If it’s |
63 | -empty, look for the discoverer in bugs, patches, etc. We only use real names |
64 | -(not nicks or orgs) in credits and be aware that the patch supplier is not |
65 | -always the discoverer. |
66 | +** Terms |
67 | +Spell out terms. Instead of using "DoS", use "denial of service". |
68 | |
69 | -For <pkg>, use the upstream package name. |
70 | +Don't capitalize terms. Instead of using "Denial of Service" use "denial of |
71 | +service". |
72 | |
73 | -If the vulnerability requires user action, one possible template is: |
74 | -If a user <or automated system> were tricked into <opening a specially crafted |
75 | -<file type> || performing <action>> |
76 | +Avoid non-inclusive terms and phrases. Use "allowlist" in place of "whitelist" |
77 | +and "denylist" or "blocklist" in place of "blacklist". Find alternative terms in |
78 | +https://git.launchpad.net/usn-tool/tree/woke.yaml The scripts involved in the |
79 | +USN publication process will use this suggestions to report possible |
80 | +non-inclusive terms being mentioned. |
81 | + |
82 | +** Vulnerability explanation |
83 | + |
84 | +Be specific, but not overly detailed. Avoid being too technical. Use "under |
85 | +certain circumstances" instead of detailing specific files, functions, etc. |
86 | + |
87 | +Write the description in past tense. e.g.: "MySQL had a vulnerability" vs |
88 | +"MySQL has a vulnerability". |
89 | |
90 | If possible, fill in details on the adversary, e.g: |
91 | <An unprivileged || A privileged> <local || remote> attacker <with |
92 | -x privileges> |
93 | +x privileges>. If a live connection is needed for the vulnerability to be |
94 | +exploited, use "authenticated user" instead of "attacker" to give a better |
95 | +sense of the scope. |
96 | + |
97 | +If the vulnerability requires user action, one possible template is: |
98 | +If a user <or automated system> were tricked into <opening a specially crafted |
99 | +<file type> || performing <action>> an attacker could possibly use this issue |
100 | +to <result>. |
101 | + |
102 | +For <kinds of exploits possible>, generally try to be as specific as possible. |
103 | +Add: "<adversary> could possibly use this issue to ..." since we cannot confirm |
104 | +how the adversary will take advantage of the vulnerability. |
105 | + |
106 | +If the impact is not clear, use the following generic statement: |
107 | +"resulting in <result>, or another unspecified impact". |
108 | + |
109 | +** Regressions |
110 | + |
111 | +Make sure the USN title is <pkg> regression. The description should say: |
112 | +USN-XXXX-1 fixed <vulnerabilities | a vulnerability> in <pkg>. Unfortunately |
113 | +that update <problem> and could introduce a regression. This updated fixes the |
114 | +problem. |
115 | |
116 | -For <kinds of exploits possible>, generally try to be as specific as |
117 | -possible. Some generic examples of attacks are: |
118 | -<possibly use this issue | exploit this with a crafted <input>> |
119 | +We apologize for the inconvenience. |
120 | |
121 | -Some generic examples of effects are: |
122 | -cause <pkg> <to expose sensitive information | execute arbitrary code> |
123 | -If the impact is not clear, the following is a generic statement on impact: |
124 | -crash, resulting in a denial of service, or possibly execute arbitrary code. |
125 | +Original advisory details: <USN-XXXX-1 description> |
126 | |
127 | |
128 | -Be specific, but not overly detailed. Examples: |
129 | +* General rules for the summary |
130 | |
131 | -Temporary file race: |
132 | +If several CVEs are fixed in the USN, keep the summary as "Several issues were |
133 | +fixed in <pkg>" (even if all CVEs share the same description). |
134 | + |
135 | +Otherwise the summary should be written as: <pkg> could <result> if <condition> |
136 | + |
137 | +* General rules for the title |
138 | + |
139 | +<pkg> should respect the upstream name. If more than one CVE is fixed, make |
140 | +sure the title is in plural: <pkg> vulnerabilities |
141 | + |
142 | +* General rules for affected binaries |
143 | + |
144 | +Even though more than one binary can be generated as part of the source package |
145 | +update, the USN should only list the binary/binaries that are indeed affected |
146 | +by the CVE/CVEs being fixed for every release. |
147 | + |
148 | +* Examples |
149 | + |
150 | +Memory management |
151 | +----------------- |
152 | +<name> discovered that <pkg> did not properly manage memory <condition>. |
153 | +<kinds of exploits possible>. <result> |
154 | + |
155 | +It was discovered that HTMLDOC did not properly manage memory under certain |
156 | +circumstances. If a user were tricked into opening a specially crafted HTML |
157 | +file, a remote attacker could possibly use this issue to cause HTMLDOC to |
158 | +crash, resulting in a denial of service, or possibly execute arbitrary code |
159 | + |
160 | +Florian Weimer discovered that Cron incorrectly handled certain memory |
161 | +operations during crontab file creation. An attacker could possibly use |
162 | +this issue to cause a denial of service |
163 | + |
164 | +It was discovered that Thunderbird did not properly manage memory when |
165 | +using XUL tree elements. If a user were tricked into viewing malicious |
166 | +content, a remote attacker could cause a denial of service or possibly |
167 | +execute arbitrary code with the privileges of the user invoking the |
168 | +programs. |
169 | + |
170 | +Danilo Ramos discovered that rsync incorrectly handled memory when |
171 | +performing certain zlib deflating operations. An attacker could use this |
172 | +issue to cause rsync to crash, resulting in a denial of service, or |
173 | +possibly execute arbitrary code. |
174 | + |
175 | +It was discovered that FFmpeg incorrectly handled memory when using certain |
176 | +filters. An attacker could possibly use this issue to cause a denial of service |
177 | +or other unspecified impact. |
178 | + |
179 | +User input |
180 | +----------------- |
181 | +<name> discovered that <pkg> did not properly manage certain inputs. |
182 | +<kinds of exploits possible>. <result> |
183 | + |
184 | +Han Zheng discovered that Liblouis incorrectly handled certain inputs. |
185 | +An attacker could possibly use this issue to cause a crash |
186 | + |
187 | +File management |
188 | +----------------- |
189 | +<name> discovered that <pkg> did not properly manage certain files. |
190 | +<kinds of exploits possible>. <result> |
191 | + |
192 | +It was discovered that Ghostscript incorrectly handled certain PostScript |
193 | +files. If a user or automated system were tricked into processing a |
194 | +specially crafted file, a remote attacker could possibly use this issue to |
195 | +access arbitrary files, execute arbitrary code, or cause a denial of |
196 | +service. |
197 | + |
198 | +It was discovered that nginx incorrectly handled files with |
199 | +certain modification dates. A remote attacker could possibly |
200 | +use this issue to cause a denial of service or other unspecified |
201 | +impact. |
202 | + |
203 | +Crafted websites |
204 | +----------------- |
205 | +It was discovered that Go applications incorrectly handled uploaded content. If |
206 | +a user were tricked into visiting a malicious page, a remote attacker could |
207 | +exploit this with a crafted file to conduct cross-site scripting (XSS) attacks. |
208 | + |
209 | +Permissions |
210 | +----------------- |
211 | +<name> discovered that <pkg> incorrectly handled permissions <condition>. |
212 | +<kinds of exploits possible>. <result> |
213 | + |
214 | +It was discovered that the postinst maintainer script in Cron unsafely |
215 | +handled file permissions during package install or update operations. |
216 | +An attacker could possibly use this issue to perform a privilege |
217 | +escalation attack |
218 | + |
219 | +Jan Schejbal discovered that Paramiko incorrectly handled permissions when |
220 | +writing private key files. A local attacker could possibly use this issue |
221 | +to gain access to private keys. |
222 | + |
223 | +Dan Rabe discovered that OpenJDK incorrectly verified access permissions |
224 | +in the JAXP component. An attacker could possibly use this to specially |
225 | +craft an XML file to obtain sensitive information. |
226 | + |
227 | +James Troup discovered that snap did not properly manage the permissions for |
228 | +the snap directories. A local attacker could possibly use this issue to expose |
229 | +sensitive information |
230 | + |
231 | +Temporary file race |
232 | +----------------- |
233 | <name> discovered that <pkg> created temporary files in an insecure way. |
234 | <Local|Remote> users could exploit a race condition to create or overwrite |
235 | files with the privileges of the user invoking the program. |
236 | |
237 | -User-assisted: |
238 | +User-assisted |
239 | +----------------- |
240 | <name> discovered that <pkg> did <error condition>. If a user were tricked |
241 | into opening a specially crafted <file type>, an attacker could <result> |
242 | in <pkg>. |
243 | @@ -56,8 +214,8 @@ comparisons in certain operations. If a user were tricked into opening a |
244 | specially crafted PNG image, an attacker could cause a denial of service in |
245 | applications linked against libpng. |
246 | |
247 | - |
248 | -Remote vulnerability: |
249 | +Remote vulnerability |
250 | +----------------- |
251 | <name> discovered that <pkg> did <error condition>. A remote attacker could |
252 | <attack technique> to the server and <result>. |
253 | |
254 | @@ -65,8 +223,8 @@ Nahuel Riva and Gerardo Richarte discovered that the DHCP server did not |
255 | correctly handle certain client options. A remote attacker could send malicious |
256 | DHCP replies to the server and execute arbitrary code. |
257 | |
258 | - |
259 | -Remote authenticated user vulnerability: |
260 | +Remote authenticated user vulnerability |
261 | +----------------- |
262 | <name> discovered that <pkg> did <error condition>. An authenticated user could |
263 | <attack technique> to <result>. |
264 | |
265 | @@ -74,8 +232,8 @@ Neil Kettle discovered that MySQL could be made to dereference a NULL pointer |
266 | and divide by zero. An authenticated user could exploit this with a crafted IF |
267 | clause, leading to a denial of service. (CVE-2007-2583) |
268 | |
269 | - |
270 | -Automated system: |
271 | +Automated system |
272 | +----------------- |
273 | <name> discovered that <pkg> did <error condition>. If a user or automated |
274 | system were tricked... |
275 | |
276 | @@ -84,8 +242,8 @@ archives. If a user or automated system were tricked into processing a |
277 | specially crafted bzip2 archive, applications linked against libbz2 could be |
278 | made to crash, possibly leading to a denial of service. |
279 | |
280 | - |
281 | -Local vulnerability: |
282 | +Local vulnerability |
283 | +----------------- |
284 | <name> discovered that <pkg> did <error condition>. A local user could <attack |
285 | technique> and <result>. |
286 | |
287 | @@ -94,12 +252,8 @@ when using helper programs. Local users may be able to bypass security |
288 | restrictions and gain root privileges using programs such as mount.nfs or |
289 | mount.cifs. |
290 | |
291 | - |
292 | -Man in the Middle - |
293 | +Machine in the middle |
294 | ----------------- |
295 | -Don't use this term directly as it is not inclusive and too jargony - |
296 | -instead just describe the scenario, ie. |
297 | - |
298 | <name> discovered that <pkg> did not <error condition> when using a secure |
299 | connection. If a remote attacker were able to intercept communication this |
300 | flaw could be exploited to view sensitive information. |
301 | @@ -108,25 +262,14 @@ It was discovered that Pidgin did not validate SSL certificates when using a |
302 | secure connection. If a remote attacker were able to intercept |
303 | communications this flaw could be exploited to view sensitive information. |
304 | |
305 | -In the above: |
306 | -<result> might be: |
307 | -* what privileges the attacker ends up with. e.g. "..and execute arbitrary |
308 | -code with root privileges" or "... with user privileges" |
309 | -* denial of service |
310 | -* escalated priviliges |
311 | - |
312 | -Tips: |
313 | -use "authenticated user" instead of "attacker" for the stuff that needs a live |
314 | -connection to give a better sense of the scope. |
315 | - |
316 | -don't capitalize things like "denial of service" |
317 | - |
318 | -do capitalize when there is an official upstream name (eg MySQL vs mysql) |
319 | - |
320 | -write the USN in past tense. Eg "MySQL had a vulnerability" vs "MySQL has a |
321 | -vulnerability" |
322 | +Summary |
323 | +----------------- |
324 | +ImageMagick could be made to crash if it opened a specially crafted file. |
325 | |
326 | -avoid non-inclusive language - use "allowlist" in place of "whitelist" and |
327 | -"denylist" or "blocklist" in place of "blacklist" |
328 | +e2fsprogs could be made to crash or possibly run programs if it processed a |
329 | +specially crafted file system image |
330 | |
331 | +Ruby could be made to crash or read sensitive information when processing |
332 | +certain input. |
333 | |
334 | +FreeRDP could allow unintended access to network services. |
Very nicely done Emi! LGTM.