FixingCVEs

Differences between revisions 5 and 6
Revision 5 as of 2011-01-26 16:41:06
Size: 2922
Editor: pool-98-108-155-157
Comment:
Revision 6 as of 2011-01-26 16:48:22
Size: 3011
Editor: pool-98-108-155-157
Comment:
Deletions are marked like this. Additions are marked like this.
Line 59: Line 59:
    * If the patch is not needed for a particular release it should be marked "invalid"

  1. Go to the kernel team's CVE spreadsheet, pick out a CVE to work on and put your username in the "Assignee" column, next to the CVE you picked.

  2. Create a Launchpad Bug for the targeted CVE.
    • Use the CVE id as the title for the bug.
    • Use the Description from the CVE tracker link as the bug description.
    • Add the tag: "kernel-cve-tracker"

  3. Add the Launchpad Bug link to the kernel team's CVE spreadsheet in the Bug Number column for the CVE. 

STEAM='lp:~ubuntu-security/ubuntu-cve-tracker/master'
KTEAM='lp:~canonical-kernel-team/ubuntu-cve-tracker/kernel-team'

To create the branch:
* bzr branch $KTEAM

In tracker branch (this syncing should probably be scripted):
* bzr pull $KTEAM
* bzr commit -m "Saving local changes"
* bzr push $KTEAM
* bzr missing -q --theirs-only --line $STEAM | tee ../msg
  If ../msg is not empty
  * bzr merge $STEAM
  * bzr commit -m "$(cat ../msg)"
  * bzr push $KTEAM

After changing the anything in an active/CVE-* file
!! WARNING: bzr includes *all* files changed in the branch dir to the commit
* bzr commit -m "<this is my message to the world>"
* bzr push $KTEAM

Useful for cleaning up previous commit (commit undone, changes not)
* bzr uncommit

Notes to be cleaned up:

  1. Save the patch to a file.

    • Go to the cve tracker page (http://people.canonical.com/~ubuntu-security/cve/pkg/linux.html)

    • Follow the CVE link in the left column for the CVE you are working to the details page.
    • Follow the link for "Patches: Upstream:" to the upstream git web commit
    • Click the "patch" link in the top part of the page.
    • Select "Save As" from your browser and save the patch.
  2. Modify the patch
    • Add the buglink to the patch
    • Add your sob to the patch
    • Add the CVE number to the Subject line
    • Add the CVE number to the bug comment body above the buglink
    • Add the upstream commit from which the patch was either cherry-picked or backported above your s.o.b.
    • Add a comment if the patch was accepted into one or more stable kernels.
  3. Create a LP bug
    • Summary is the CVE id: "CVE-2010-XXXX"
    • Mark the bug as a security bug
    • Further information is taken from the patch commit description.
    • Add the tag: "kernel-cve-tracker"
    • Add "Link to CVE"
    • Nominate for all supported releases.
      • If the patch has already been applied to a release, mark that task "fixed-released"
      • If the patch is not needed for a particular release it should be marked "invalid"
      • For each release that the patch applies to:
        • Set status to "Inprogress"
        • Set Importance to "Low"
        • Set "Assigned to" to yourself
    • After applying the patch, add the patch as an attachment to the bug.

Kernel/Dev/FixingCVEs (last edited 2011-05-18 22:25:50 by static-50-53-98-161)