lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <005501d1bb14$bc9338c0$35b9aa40$@alibaba-inc.com>
Date:	Tue, 31 May 2016 16:16:30 +0800
From:	"Hillf Danton" <hillf.zj@...baba-inc.com>
To:	<charley.ashbringer@...il.com>
Cc:	"linux-kernel" <linux-kernel@...r.kernel.org>
Subject: Re: Vulnerability [CVE-2014-4608] recurs in Linux 3.17.2-4.5

> 
> Dear Sir/Madam:
>     I'm a postgraduate student majoring in information security and
> I'm very interested in software vulnerabilities, I think it's really
> fascinating and I'm doing some research about how to find
> vulnerabilities automatically. I have done some tests with Linux bug
> commits. And  I found that the patch codes ( fixing CVE-2014-4608 )
> didn't appear in the version 3.17.2 to 4.5. I'm just wondering if this
> means the vulnerability ( CVE-2014-4608 ) recurs in Linux 3.17.2-4.5.
> If not, is it fixed in another way?
>     Thanks for your time, I'll appreciate it very much if you can give
> an answer.
> 
> p.s. here is the link to CVE-2014-4608 report
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=206a81c18401 \
> c0cde6e579164f752c4b147324ce
> 
> Best regards
> 
> ZhiJun DENG
> Cluster and Grid Computing Laboratory
> HuaZhong University Of Science And Technology
> 1037 Luoyu Road,Wuhan,430074,China
> Tel:+86 - 15527287870
> 
> Email锛�506012274@...com
> 
Hi ZhiJun DENG

In linux-4.7-rc1 the log says,
1,	206a81c18401 ("lzo: properly check for overruns") was reverted by
	af958a38a60c ("Revert "lzo: properly check for overruns"")

2, then it was fixed in 
	72cf90124e8 ("lzo: check for length overrun in variable length encoding.")

btw, please send email in pure text to LKML.

Hillf

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ