lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [day] [month] [year] [list]
Message-ID: <2025050945-prompter-aerobics-136f@gregkh>
Date: Fri, 9 May 2025 15:37:24 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Attila Szasz <szasza.contact@...il.com>
Cc: Theodore Ts'o <tytso@....edu>, Dmitry Vyukov <dvyukov@...gle.com>,
	cve@...nel.org, linux-cve-announce@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: REJECTED: CVE-2025-0927: heap overflow in the hfs and hfsplus
 filesystems with manually crafted filesystem

On Fri, May 09, 2025 at 03:18:19PM +0200, Attila Szasz wrote:
> > I would invite that security researchers
> > file CVE's with the *product* as opposed to the upstream open source
> > project.
> 
> The CVE was originally filed for Ubuntu Linux ;)
> Namely, cpe:2.3:o:canonical:ubuntu_linux.
> 
> It was moved to kernel.org CNA territory due to some politics,

There was no "politics" here, no other CNA is allowed to assign bugs
against Linux without going through cve@...nel.org first.  That's just
how the CVE system works, Canonical should not have assigned that from
the beginning.

It happens at times, nothing special here, Oracle did it earlier this
week as well, and we had to reassign a CVE over to us.  Other CNAs have
done it in the past too when they forgot that Linux was a CNA.

> then it was rejected on the same day the bug was fixed upstream.

That was based on the request of the filesystem maintainers, which we
use as the final word on these things.

> Since then, I saw Canonical folks mention that they wanted to
> allocate a new one but needed to obfuscate the description so it no
> longer sounds like a kernel bug.

That's great to hear, please let me know when they do that so that we
all can report them for violating their CNA agreement with CVE.org :)

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ