Ubuntu CVE Tracker

Merge ~sbeattie/ubuntu-cve-tracker/+git/ubuntu-cve-tracker:kernel-triage-bits into ubuntu-cve-tracker:master

  1. Git
  2. lp:~sbeattie/ubuntu-cve-tracker/+git/ubuntu-cve-tracker
  3. kernel-triage-bits
  4. Merge into master
Proposed by Steve Beattie
Status: Merged
Merged at revision: e509323937633969764b55c428a2d6693db06685
Proposed branch: ~sbeattie/ubuntu-cve-tracker/+git/ubuntu-cve-tracker:kernel-triage-bits
Merge into: ubuntu-cve-tracker:master
Diff against target: 116 lines (+82/-8)
2 files modified
README.linux (+78/-7)
scripts/kernel-find-fixes (+4/-1)
Reviewer Review Type Date Requested Status
Cengiz Can (community) Approve
Review via email: mp+461403@code.launchpad.net

Description of the change

This commit series does a few things around kernel cve re-triage:

- It updates the find-fixes script added by Cengiz to support configuring the location of an upstream linux git clone in the ~/.ubuntu-cve-tracker.conf file

- It renames the find-fixes script to kernel-find-fixes, to make it clear the context for which the script is intended

- It adds documentation on how to do this to the README.linux document, including how to set the git clone up to include linus' primary tree, the linux-stable tree, and the linux-next tree

- It also adds documentation on a few other tthrackers that can be useful for iudentifying fixing CVEs, including their configuration in the ~/.ubuntu-cve-tracker.conf file, as well as referencing the scripts that can use them.

Explicitly adding Cengiz as a reviewer, to make sure the renaming of the find-fixes script won't break the kernel team's workflow.

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Nice, thanks

Revision history for this message
Steve Beattie (sbeattie) wrote :

> > +git clone //git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git "$linux_kernel_path"
>
> I think this is missing a leading 'https:'

Quite right, amended commit to add it (along with adding refs to
the merge proposal in the commit messages) and re-pushed the merge
proposal branch.

Thanks!

--
Steve Beattie
<email address hidden>

Revision history for this message
Cengiz Can (cengizcan) wrote :

Thank you! No it won't break any workflows. ACK.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/README.linux b/README.linux
2index 5a4d90b..48dae64 100644
3--- a/README.linux
4+++ b/README.linux
5@@ -1,14 +1,85 @@
6 Distro kernels
7 --------------
8+
9 Ubuntu kernels as part of the archive are listed here:
10-https://wiki.ubuntu.com/Kernel/Dev/ABIPackages
11+<https://wiki.ubuntu.com/Kernel/Dev/ABIPackages>
12+
13+LTS HWE backport kernels from interim releases are typically not
14+supported once the next LTS backport kernel is available. For example,
15+once the linux 6.2 (mantic 23.10) kernel was brought back to Ubuntu
16+22.04 LTS (jammy), the prior HWE kernel in jammy, linux-5.19, no
17+longer receives updates. In older releases, the source package
18+names were based on the release codename, e.g. linux-lts-trusty,
19+linux-lts-quantal, and linux-lts-saucy.
20+
21+## Additional infrastructure for retriaging kernel CVEs.
22+
23+### Upstream kernel trees
24+
25+It is useful to have a reference clone of the upstream [linux] kernel,
26+as well as the [linux-stable] and [linux-next] trees. Additionally,
27+the `~/.ubuntu-cve-tracker.conf` file can be configured to point at the
28+reference tree for researching issues using the `linux_kernel_path`
29+variable. An example snippet to place in `~/.ubuntu-cve-tracker.conf`:
30+
31+```
32+# where to find a clone of the upstream linux, linux-stable, and
33+# linux-next kernel trees; see README.linux for more details
34+linux_kernel_path='/path/to/git/kernel-trees/linux-reference/'
35+```
36+
37+To set the tree up appropriately, edit ~/.ubuntu-cve-tracker.conf and
38+then do something like the following:
39+
40+```shell
41+. ~/.ubuntu-cve-tracker.conf
42+git clone https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git "$linux_kernel_path"
43+cd "$linux_kernel_path"
44+git remote add stable https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
45+git remote add next https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
46+git fetch --all
47+```
48+
49+With this in place, the tool `scripts/kernel-find-fix` will be able to
50+look up potential break commits using the Fixes: field from kernel git
51+commits.
52+
53+[linux]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
54+[linux-stable]: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
55+[linux-next]: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
56+
57+### Tools for identifying kernel fixes
58+
59+It is useful to look at some other projects to see if they have
60+potentially identified fixes for kernel vulnerabilities. The three
61+common ones are the
62+
63+- [Upstream kernel CNA repo][linux-cna]
64+- [Debian's kernel security tracker][debian-kernel]
65+- Nicholas Leudtke's [linux github tracker][linux-github]
66+
67+The latter two can be configured as references in
68+`~/.ubuntu-cve-tracker.conf` for use with tools, via the
69+`debian_kernel_cve_tracker` and `linux_kernel_cve_tracker` variables
70+respectively. An example:
71+
72+```
73+# path to a copy of the linux kernel cve tracker from
74+# https://github.com/nluedtke/linux_kernel_cves.git
75+linux_kernel_cve_tracker='/path/to/git/cve_trackers/linux_kernel_cves/'
76
77-Android kernels (flo, goldfish, grouper, maguro, mako and manta) are not
78-supported on the Ubuntu Touch 14.10 and earlier preview kernels.
79+# path to a copy of the debian kernel cve tracker from
80+# https://salsa.debian.org/kernel-team/kernel-sec.git
81+debian_kernel_cve_tracker='/path/to/git/cve_trackers/debian-kernel-sec/'
82+```
83
84-LTS backport kernels from interim releases are typically not supported once the
85-next LTS backprt kernel is available. For example, now that linux-lts-trusty
86-is available, linux-lts-quantal and linux-lts-saucy no longer receive official
87-support.
88+With these configured, the scripts `kernel-triage-missing-break-fix` and
89+`kernel-retriage-cve` can be used to look for CVEs where we have
90+not identified a fixing commit, but the other projects may have already
91+done so.
92
93+**TODO**: add support for examining the linux cna repo
94
95+[linux-cna]: https://git.kernel.org/pub/scm/linux/security/vulns.git/
96+[debian-kernel]: https://salsa.debian.org/kernel-team/kernel-sec.git
97+[linux-github]: https://github.com/nluedtke/linux_kernel_cves.git
98diff --git a/scripts/find-fixes b/scripts/kernel-find-fixes
99similarity index 96%
100rename from scripts/find-fixes
101rename to scripts/kernel-find-fixes
102index a5cbaf1..b8b63a0 100755
103--- a/scripts/find-fixes
104+++ b/scripts/kernel-find-fixes
105@@ -10,7 +10,10 @@
106 # USER CONFIGURATION STARTS
107 #
108 # Should be updated accordingly:
109-UPSTREAM_KERNEL_DIR=~/kernel/upstream
110+
111+[ -f "$HOME"/.ubuntu-cve-tracker.conf ] && . "$HOME"/.ubuntu-cve-tracker.conf
112+
113+UPSTREAM_KERNEL_DIR="${linux_kernel_path:-~/kernel/upstream}"
114 KERNEL_VERSIONS='6.5 6.2 6.1 5.19 5.15 5.14 5.10 5.4 4.19 4.15 4.14 4.9 4.4'
115 IFS=" " read -r -a kernel_versions <<< "$KERNEL_VERSIONS"
116 #

Subscribers

People subscribed via source and target branches