FixingCVEs
Differences between revisions 4 and 5
1495
Comment:
|
2922
|
Deletions are marked like this. | Additions are marked like this. |
Line 34: | Line 34: |
Notes to be cleaned up: 1. Save the patch to a file. * Go to the cve tracker page (http://people.canonical.com/~ubuntu-security/cve/pkg/linux.html) * Follow the CVE link in the left column for the CVE you are working to the details page. * Follow the link for "Patches: Upstream:" to the upstream git web commit * Click the "patch" link in the top part of the page. * Select "Save As" from your browser and save the patch. 1. Modify the patch * Add the buglink to the patch * Add your sob to the patch * Add the CVE number to the Subject line * Add the CVE number to the bug comment body above the buglink * Add the upstream commit from which the patch was either cherry-picked or backported above your s.o.b. * Add a comment if the patch was accepted into one or more stable kernels. 1. Create a LP bug * Summary is the CVE id: "CVE-2010-XXXX" * Mark the bug as a security bug * Further information is taken from the patch commit description. * Add the tag: "kernel-cve-tracker" * Add "Link to CVE" * Nominate for all supported releases. * If the patch has already been applied to a release, mark that task "fixed-released" * For each release that the patch applies to: * Set status to "Inprogress" * Set Importance to "Low" * Set "Assigned to" to yourself * After applying the patch, add the patch as an attachment to the bug. |
Go to the kernel team's CVE spreadsheet, pick out a CVE to work on and put your username in the "Assignee" column, next to the CVE you picked.
- Create a Launchpad Bug for the targeted CVE.
- Use the CVE id as the title for the bug.
- Use the Description from the CVE tracker link as the bug description.
- Add the tag: "kernel-cve-tracker"
Add the Launchpad Bug link to the kernel team's CVE spreadsheet in the Bug Number column for the CVE.
STEAM='lp:~ubuntu-security/ubuntu-cve-tracker/master' KTEAM='lp:~canonical-kernel-team/ubuntu-cve-tracker/kernel-team' To create the branch: * bzr branch $KTEAM In tracker branch (this syncing should probably be scripted): * bzr pull $KTEAM * bzr commit -m "Saving local changes" * bzr push $KTEAM * bzr missing -q --theirs-only --line $STEAM | tee ../msg If ../msg is not empty * bzr merge $STEAM * bzr commit -m "$(cat ../msg)" * bzr push $KTEAM After changing the anything in an active/CVE-* file !! WARNING: bzr includes *all* files changed in the branch dir to the commit * bzr commit -m "<this is my message to the world>" * bzr push $KTEAM Useful for cleaning up previous commit (commit undone, changes not) * bzr uncommit
Notes to be cleaned up:
- Save the patch to a file.
Go to the cve tracker page (http://people.canonical.com/~ubuntu-security/cve/pkg/linux.html)
- Follow the CVE link in the left column for the CVE you are working to the details page.
- Follow the link for "Patches: Upstream:" to the upstream git web commit
- Click the "patch" link in the top part of the page.
- Select "Save As" from your browser and save the patch.
- Modify the patch
- Add the buglink to the patch
- Add your sob to the patch
- Add the CVE number to the Subject line
- Add the CVE number to the bug comment body above the buglink
- Add the upstream commit from which the patch was either cherry-picked or backported above your s.o.b.
- Add a comment if the patch was accepted into one or more stable kernels.
- Create a LP bug
- Summary is the CVE id: "CVE-2010-XXXX"
- Mark the bug as a security bug
- Further information is taken from the patch commit description.
- Add the tag: "kernel-cve-tracker"
- Add "Link to CVE"
- Nominate for all supported releases.
- If the patch has already been applied to a release, mark that task "fixed-released"
- For each release that the patch applies to:
- Set status to "Inprogress"
- Set Importance to "Low"
- Set "Assigned to" to yourself
- After applying the patch, add the patch as an attachment to the bug.
Kernel/Dev/FixingCVEs (last edited 2011-05-18 22:25:50 by static-50-53-98-161)