1. Forum
  2. Usenet
  3. LINUX.DEBIAN.SECURITY

  • Re: Clarification Request: Acceptable Scenarios for Submitting CVE Fixe

    From Salvatore Bonaccorso@21:1/5 to All on Sat May 17 22:20:01 2025
    Hi

    Let's comment on some of your specific CVEs, thanks for reaching out.

    On Mon, May 12, 2025 at 06:09:37AM +0000, Fu, Rong (CN) wrote:
    Dear maintainer,



    I would like to clarify the appropriate circumstances under which a
    Debian bug report should be submitted for CVE-related fixes.

    Specifically, I'm uncertain about the following five scenarios:



    Condition 1: The fix is already applied in sid, Trixie, but not yet
    in Bookworm.

    (Example: CVE-2024-57823)



    Am I allowed to prepare and submit patches for multiple Debian
    versions (e.g., Bookworm, Bullseye)? Or will the Debian team
    backport the fix themselves later? Should external contributors
    avoid submitting patches in such cases?

    This one will be fixed in the 12.12 point release, the issue is not
    warrantig a DSA, along with the second open CVE for raptor2 in
    bookworm.

    You usually even as non uploading Debian member could contribute but
    you would need a sponsor for your upload as for when you start
    contributing for unstable uploads.

    Condition 2: The fix is available but not applied in any Debian release yet.

    (Example: CVE-2025-31344)



    Am I allowed to prepare and submit patches for multiple Debian
    versions (e.g., Sid, Trixie, Bookworm, Bullseye)?

    The issue is again a minor issue. It needs to be fixed top down
    starting in unstable. There is no official upstream patch, but a
    proposed one which is applied in mandriva. This is more complicated as
    we need to have some additional assurance that is the way moving
    forward. Upstream might get activated to make sure the fix land first
    in upstream. I know this is maybe problematic here.

    If yes, should I reply to the existing bug report and attach the
    patch, or should I open separate bug reports for each affected
    release?

    No no separate bug it is already tracked with #1102520 and BTS can
    cover mutliple versions.

    Condition 3: A fix is available in the latest upstream version, but
    the CVE has no Debian bug ID.

    (Example: CVE-2023-4133)

    May I submit a patch to Debian in this case as well, even though no
    bug is currently filed? If so, should I first open a Debian bug and
    then submit the patch there?

    Nack on this one, src:linux is special. Do not fill bugs for CVEs. We
    follow upstream, so if you want to see the fix into older upstream
    stable series then make sure it get backported upstream.

    Condition 4: The CVE has no associated Debian bug ID and no upstream
    fix yet.

    (Example: CVE-2020-36694)

    If I am able to develop a fix myself, may I submit it to Debian for
    affected versions?

    Also, how can I link the new Debian bug report to the CVE so that
    the bug appears on the CVE tracker?

    Work with upstream to get it fixed, once it reaches a corresponding
    stable series we will pick it up as well.

    Condition 5: There is no fix available yet from upstream, and the
    CVE already has a bug ID.

    (Example: CVE-2024-58036)

    I understand Debian usually waits for upstream to release a patch.
    However, is there a way I can notify Debian once upstream does
    publish the fix, so that the CVE tracker can be updated accordingly?

    In this case upstream might be dormant or dead. Still try to develop a
    patch which uses Crypt:Urandom, make a upstream issue, then we can
    mark 1102147 forwarded to it, and maybe eventually pick the change
    (again top-down, the issue is minor here again, a fix should land in
    any case first in unstable).

    I hope this sheds some light into your questions.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)