[<prev] [day] [month] [year] [list]
Message-ID: <2025050945-prompter-aerobics-136f@gregkh>
Date: Fri, 9 May 2025 15:37:24 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Attila Szasz <szasza.contact@...il.com>
Cc: Theodore Ts'o <tytso@....edu>, Dmitry Vyukov <dvyukov@...gle.com>,
cve@...nel.org, linux-cve-announce@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: REJECTED: CVE-2025-0927: heap overflow in the hfs and hfsplus
filesystems with manually crafted filesystem
On Fri, May 09, 2025 at 03:18:19PM +0200, Attila Szasz wrote:
> > I would invite that security researchers
> > file CVE's with the *product* as opposed to the upstream open source
> > project.
>
> The CVE was originally filed for Ubuntu Linux ;)
> Namely, cpe:2.3:o:canonical:ubuntu_linux.
>
> It was moved to kernel.org CNA territory due to some politics,
There was no "politics" here, no other CNA is allowed to assign bugs
against Linux without going through cve@...nel.org first. That's just
how the CVE system works, Canonical should not have assigned that from
the beginning.
It happens at times, nothing special here, Oracle did it earlier this
week as well, and we had to reassign a CVE over to us. Other CNAs have
done it in the past too when they forgot that Linux was a CNA.
> then it was rejected on the same day the bug was fixed upstream.
That was based on the request of the filesystem maintainers, which we
use as the final word on these things.
> Since then, I saw Canonical folks mention that they wanted to
> allocate a new one but needed to obfuscate the description so it no
> longer sounds like a kernel bug.
That's great to hear, please let me know when they do that so that we
all can report them for violating their CNA agreement with CVE.org :)
thanks,
greg k-h
Powered by blists - more mailing lists