| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 31 May 2022 08:16:45 +0000
From: Lyu Tao <tao.lyu@...l.ch>
To: "chenxiaosong (A)" <chenxiaosong2@...wei.com>
CC: "linux-nfs@...r.kernel.org" <linux-nfs@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"bjschuma@...app.com" <bjschuma@...app.com>,
"anna@...nel.org" <anna@...nel.org>,
Trond Myklebust <trond.myklebust@...merspace.com>,
"liuyongqiang13@...wei.com" <liuyongqiang13@...wei.com>,
"yi.zhang@...wei.com" <yi.zhang@...wei.com>,
"zhangxiaoxu5@...wei.com" <zhangxiaoxu5@...wei.com>
Subject: Re: [PATCH -next 0/2] fix nfsv4 bugs of opening with O_ACCMODE flag
Hi Xiaosong,
I sent the first email on 05.05.2022 to CVE-Request@...re.org to require them update the description with the following information. They replied that they will update the information within that day. However, they didn't updated the description and then I sent the second email and they didn't reply me.
Do you know any other ways to update the description.
"I need to update the CVE description as below:
After secondly opening a file with O_ACCMODE|O_DIRECT flags, nfs4_valid_open_stateid() will dereference NULL nfs4_state when lseek().
And its references should be updated as this:
https://github.com/torvalds/linux/commit/ab0fc21bc7105b54bafd85bd8b82742f9e68898a "
Best,
Tao
>From: chenxiaosong (A) <chenxiaosong2@...wei.com>
>Sent: Tuesday, May 31, 2022 8:40 AM
>To: Lyu Tao
>Cc: linux-nfs@...r.kernel.org; linux-kernel@...r.kernel.org; bjschuma@...app.com; anna@...nel.org; Trond Myklebust; liuyongqiang13@...wei.com; yi.zhang@...wei.com; zhangxiaoxu5@...wei.com
>Subject: Re: [PATCH -next 0/2] fix nfsv4 bugs of opening with O_ACCMODE flag
>
>Hi Tao:
>
>"NVD Last Modified" date of
>[CVE-2022-24448](https://nvd.nist.gov/vuln/detail/CVE-2022-24448) is
>already updated to 05/12/2022, but the description of the cve is still
>wrong, and the hyperlink of [unrelated patch: NFSv4: Handle case where
>the lookup of a directory
>fails](https://github.com/torvalds/linux/commit/ac795161c93699d600db16c1a8cc23a65a1eceaf)
>is still shown in the web.
>
>There is two fix patches of the cve, the web just show one of my patches.
>
>one patch is already shown in the web: [Revert "NFSv4: Handle the
>special Linux file open access
>mode"](https://github.com/torvalds/linux/commit/ab0fc21bc7105b54bafd85bd8b82742f9e68898a)
>
>second patch is not shown in the web: [NFSv4: fix open failure with
>O_ACCMODE
>flag](https://github.com/torvalds/linux/commit/b243874f6f9568b2daf1a00e9222cacdc15e159c)
>
>在 2022/5/6 15:40, Lyu Tao 写道:
>>> From: chenxiaosong (A) <chenxiaosong2@...wei.com>
>>> Sent: Thursday, May 5, 2022 4:48 AM
>>> To: Lyu Tao
>>> Cc: linux-nfs@...r.kernel.org; linux-kernel@...r.kernel.org; bjschuma@...app.com; anna@...nel.org; Trond Myklebust; liuyongqiang13@...wei.com; yi.zhang@...wei.com; zhangxiaoxu5@...wei.com
>>> Subject: Re: [PATCH -next 0/2] fix nfsv4 bugs of opening with O_ACCMODE flag
>>
>>> "NVD Last Modified" date of CVE-2022-24448 is updated as 04/29/2022, but the content of the cve is old.
>>> https://nvd.nist.gov/vuln/detail/CVE-2022-24448
>>
>> Hi,
>>
>> Thanks for reaching out.
>>
>> I've requested to update the CVE description and they replied me that it would be updated yesterday. Maybe the system need some time to reflesh. Let's wait a few more days.
>>
>> Best,
>> Tao.
>>
Powered by blists - more mailing lists