lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2424055.QlFIqzKPrH@devpool47>
Date:   Thu, 29 Jul 2021 10:31:45 +0200
From:   Rolf Eike Beer <eb@...ix.com>
To:     desmondcheongzx@...il.com
Cc:     anton@...era.com, gregkh@...uxfoundation.org,
        linux-kernel-mentees@...ts.linuxfoundation.org,
        linux-kernel@...r.kernel.org, linux-ntfs-dev@...ts.sourceforge.net,
        skhan@...uxfoundation.org,
        syzbot+213ac8bb98f7f4420840@...kaller.appspotmail.com
Subject: Re: [PATCH] ntfs: Fix validity check for file name attribute

Hi,

I was just scanning through some older vulnerabilities and came across 
CVE-2018-12929, CVE-2018-12930, and CVE-2018-12931, which are all still open 
according to linuxkernelcves.com (originally reported against 4.15 [1]). I 
looked into the commits in fs/ntfs/ from 4.15 onwards to see if they were just 
missed, but I can't spot anything there. RedHat claims to have them fixed in 
one of their kernels [2].

Which makes me wonder if the issue fixed here is a duplicate of the any of the 
above. Is there a reason I can't find any patches for the original issue in 
tree, like the issue only introduced in a custom patchset that Ubuntu/RedHat 
were using? Is this thing worth it's own CVE if it's no duplicate?

Greetings,

Eike

1) https://marc.info/?t=152407734400002&r=1&w=2
2) https://access.redhat.com/errata/RHSA-2019:0641
-- 
Rolf Eike Beer, emlix GmbH, http://www.emlix.com
Fon +49 551 30664-0, Fax +49 551 30664-11
Gothaer Platz 3, 37083 Göttingen, Germany
Sitz der Gesellschaft: Göttingen, Amtsgericht Göttingen HR B 3160
Geschäftsführung: Heike Jordan, Dr. Uwe Kracke – Ust-IdNr.: DE 205 198 055

emlix - smart embedded open source

Download attachment "signature.asc" of type "application/pgp-signature" (314 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ