lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 22 Sep 2022 13:15:02 +0200
From:   Greg KH <gregkh@...uxfoundation.org>
To:     David Gow <davidgow@...gle.com>
Cc:     cgel.zte@...il.com, Brendan Higgins <brendan.higgins@...ux.dev>,
        paul.walmsley@...ive.com, palmer@...belt.com,
        aou@...s.berkeley.edu, Shuah Khan <skhan@...uxfoundation.org>,
        Daniel Latypov <dlatypov@...gle.com>,
        "open list:KERNEL SELFTEST FRAMEWORK" 
        <linux-kselftest@...r.kernel.org>,
        KUnit Development <kunit-dev@...glegroups.com>,
        linux-riscv <linux-riscv@...ts.infradead.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Xu Panda <xu.panda@....com.cn>, Zeal Robot <zealci@....com.cn>
Subject: Re: [PATCH linux-next] kunit: tool: use absolute path for wget

On Thu, Sep 22, 2022 at 06:50:59PM +0800, David Gow wrote:
> On Thu, Sep 22, 2022 at 6:20 PM Greg KH <gregkh@...uxfoundation.org> wrote:
> >
> > On Thu, Sep 22, 2022 at 06:09:28PM +0800, David Gow wrote:
> > > On Thu, Sep 22, 2022 at 4:36 PM <cgel.zte@...il.com> wrote:
> > > >
> > > > From: Xu Panda <xu.panda@....com.cn>
> > > >
> > > > Not using absolute path when invoking wget can lead to serious
> > > > security issues.
> > > >
> > > > Reported-by: Zeal Robot <zealci@....com.cn>
> > > > Signed-off-by: Xu Panda <xu.panda@....com.cn>
> > > > ---
> > >
> > > This seems mostly okay to me -- we'd be abandoning people who have
> > > wget in an unusual location, but I don't think there are many people
> > > who want to run KUnit under RISC-V, have wget in a non-standard
> > > location, and can't acquire the bios file themselves.
> > >
> > > So this is:
> > > Reviewed-by: David Gow <davidgow@...gle.com>
> >
> > Please no, at this point in time, submissions from this gmail "alias"
> > are going to have to be rejected from the kernel.
> >
> 
> Good to know, thanks.
> 
> This isn't queued anyway, as I think that getting rid of the code to
> download the BIOS (and instead relying on the user's distro to provide
> it) is probably a better solution.s

That's a much better solution, we have authenticated firmware download
paths for BIOS images on Linux now integrated into distros.  Let's use
that infrastructure that is set up for that for this type of thing.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ