| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 31 May 2016 16:16:30 +0800
From: "Hillf Danton" <hillf.zj@...baba-inc.com>
To: <charley.ashbringer@...il.com>
Cc: "linux-kernel" <linux-kernel@...r.kernel.org>
Subject: Re: Vulnerability [CVE-2014-4608] recurs in Linux 3.17.2-4.5
>
> Dear Sir/Madam:
> I'm a postgraduate student majoring in information security and
> I'm very interested in software vulnerabilities, I think it's really
> fascinating and I'm doing some research about how to find
> vulnerabilities automatically. I have done some tests with Linux bug
> commits. And I found that the patch codes ( fixing CVE-2014-4608 )
> didn't appear in the version 3.17.2 to 4.5. I'm just wondering if this
> means the vulnerability ( CVE-2014-4608 ) recurs in Linux 3.17.2-4.5.
> If not, is it fixed in another way?
> Thanks for your time, I'll appreciate it very much if you can give
> an answer.
>
> p.s. here is the link to CVE-2014-4608 report
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=206a81c18401 \
> c0cde6e579164f752c4b147324ce
>
> Best regards
>
> ZhiJun DENG
> Cluster and Grid Computing Laboratory
> HuaZhong University Of Science And Technology
> 1037 Luoyu Road,Wuhan,430074,China
> Tel:+86 - 15527287870
>
> Email锛�506012274@...com
>
Hi ZhiJun DENG
In linux-4.7-rc1 the log says,
1, 206a81c18401 ("lzo: properly check for overruns") was reverted by
af958a38a60c ("Revert "lzo: properly check for overruns"")
2, then it was fixed in
72cf90124e8 ("lzo: check for length overrun in variable length encoding.")
btw, please send email in pure text to LKML.
Hillf
Powered by blists - more mailing lists