Hi, Bonaccorso Thank you very much for your extremely detailed and helpful answer. I truly appreciate the time and effort you took to provide such a thorough explanation. But I still have one concern about Condition 3.
> Condition 3: A fix is available in the latest upstream version, but > the CVE has no Debian bug ID. As an example, let's consider CVE-2025-4516 affecting the python package. https://security-tracker.debian.org/tracker/CVE-2025-4516 In the CVE: Upstream has already released patches for the main branch and version 3.14. However, this CVE currently has no associated Debian bug ID. Question: In this case, would it be appropriate for me to file a bug report and submit a patch for the affected Debian package version(s)? Additionally, regarding your earlier note: "You would need a sponsor for your upload, as is the case when contributing to unstable uploads." Clarification: Does this "sponsor" refer to the Debian developer assigned to review the patch once I file the bug report? I appreciate your time and look forward to your insights. Best regards, Rong -----Original Message----- From: Salvatore Bonaccorso <salvatore.bonacco...@gmail.com> On Behalf Of Salvatore Bonaccorso Sent: Sunday, May 18, 2025 4:12 AM To: Fu, Rong (CN) <rong.fu...@windriver.com> Cc: t...@security.debian.org; debian-security@lists.debian.org Subject: Re: Clarification Request: Acceptable Scenarios for Submitting CVE Fixes to Debian CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi Let's comment on some of your specific CVEs, thanks for reaching out. On Mon, May 12, 2025 at 06:09:37AM +0000, Fu, Rong (CN) wrote: > Dear maintainer, > > > > I would like to clarify the appropriate circumstances under which a > Debian bug report should be submitted for CVE-related fixes. > > Specifically, I'm uncertain about the following five scenarios: > > > > Condition 1: The fix is already applied in sid, Trixie, but not yet in > Bookworm. > > (Example: CVE-2024-57823) > > > > Am I allowed to prepare and submit patches for multiple Debian > versions (e.g., Bookworm, Bullseye)? Or will the Debian team backport > the fix themselves later? Should external contributors avoid > submitting patches in such cases? This one will be fixed in the 12.12 point release, the issue is not warrantig a DSA, along with the second open CVE for raptor2 in bookworm. You usually even as non uploading Debian member could contribute but you would need a sponsor for your upload as for when you start contributing for unstable uploads. > Condition 2: The fix is available but not applied in any Debian release yet. > > (Example: CVE-2025-31344) > > > > Am I allowed to prepare and submit patches for multiple Debian > versions (e.g., Sid, Trixie, Bookworm, Bullseye)? The issue is again a minor issue. It needs to be fixed top down starting in unstable. There is no official upstream patch, but a proposed one which is applied in mandriva. This is more complicated as we need to have some additional assurance that is the way moving forward. Upstream might get activated to make sure the fix land first in upstream. I know this is maybe problematic here. > If yes, should I reply to the existing bug report and attach the > patch, or should I open separate bug reports for each affected > release? No no separate bug it is already tracked with #1102520 and BTS can cover mutliple versions. > Condition 3: A fix is available in the latest upstream version, but > the CVE has no Debian bug ID. > > (Example: CVE-2023-4133) > > May I submit a patch to Debian in this case as well, even though no > bug is currently filed? If so, should I first open a Debian bug and > then submit the patch there? Nack on this one, src:linux is special. Do not fill bugs for CVEs. We follow upstream, so if you want to see the fix into older upstream stable series then make sure it get backported upstream. > Condition 4: The CVE has no associated Debian bug ID and no upstream > fix yet. > > (Example: CVE-2020-36694) > > If I am able to develop a fix myself, may I submit it to Debian for > affected versions? > > Also, how can I link the new Debian bug report to the CVE so that the > bug appears on the CVE tracker? Work with upstream to get it fixed, once it reaches a corresponding stable series we will pick it up as well. > Condition 5: There is no fix available yet from upstream, and the CVE > already has a bug ID. > > (Example: CVE-2024-58036) > > I understand Debian usually waits for upstream to release a patch. > However, is there a way I can notify Debian once upstream does publish > the fix, so that the CVE tracker can be updated accordingly? In this case upstream might be dormant or dead. Still try to develop a patch which uses Crypt:Urandom, make a upstream issue, then we can mark 1102147 forwarded to it, and maybe eventually pick the change (again top-down, the issue is minor here again, a fix should land in any case first in unstable). I hope this sheds some light into your questions. Regards, Salvatore
