Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Specifiy CVE Description Format #341

Open
jgamblin opened this issue Sep 19, 2024 · 2 comments
Open

Specifiy CVE Description Format #341

jgamblin opened this issue Sep 19, 2024 · 2 comments
Labels
bug Something isn't working Needs Discussion Discuss in a future QWG meeting or on mailing list section:description Schema location is description

Comments

@jgamblin
Copy link

More and More CVES are starting to contain hidden formatting characters and extra spaces that should likely be supported on CVE.org, or the schema should specify that the description is a unicode string.

I will use CVE-2024-44995 as an example of this issue:

As submitted in the JSON File:

In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix a deadlock problem when config TC during resetting\n\nWhen config TC during the reset process, may cause a deadlock, the flow is\nas below:\n                             pf reset start\n                                 │\n                                 ▼\n                              ......\nsetup tc                         │\n    │                            ▼\n    ▼                      DOWN: napi_disable()\nnapi_disable()(skip)             │\n    │                            │\n    ▼                            ▼\n  ......                      ......\n    │                            │\n    ▼                            │\nnapi_enable()                    │\n                                 ▼\n                           UINIT: netif_napi_del()\n                                 │\n                                 ▼\n                              ......\n                                 │\n                                 ▼\n                           INIT: netif_napi_add()\n                                 │\n                                 ▼\n                              ......                 global reset start\n                                 │                      │\n                                 ▼                      ▼\n                           UP: napi_enable()(skip)    ......\n                                 │                      │\n                                 ▼                      ▼\n                              ......                 napi_disable()\n\nIn reset process, the driver will DOWN the port and then UINIT, in this\ncase, the setup tc process will UP the port before UINIT, so cause the\nproblem. Adds a DOWN process in UINIT to fix it."

As Rendered in Text:
Screenshot 2024-09-19 at 2 03 18 PM

As Rendered on CVE.org:
Screenshot 2024-09-19 at 2 03 29 PM

Here is a CSV with CVEs that are causing the most issues matching against a string:
SpecialDescription.csv

@ccoffin
Copy link
Collaborator

ccoffin commented Sep 19, 2024

I think this probably needs to be submitted here: https://github.com/CVEProject/cve-website/issues.

@jgamblin
Copy link
Author

@ccoffin, should the schema not specify the description's length or type as a plain text string, or should \n, \t, and extra white spaces and emojis be allowed in descriptions?

I am unsure if these 50+ CVEs are skirting an unenforced requirement or if no one is displaying them correctly.

@jayjacobs jayjacobs added bug Something isn't working section:description Schema location is description labels Oct 18, 2024
@jayjacobs jayjacobs added the Needs Discussion Discuss in a future QWG meeting or on mailing list label Oct 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working Needs Discussion Discuss in a future QWG meeting or on mailing list section:description Schema location is description
Projects
None yet
Development

No branches or pull requests

3 participants