lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 9 Oct 2023 14:02:16 +0200
From:   Vegard Nossum <vegard.nossum@...cle.com>
To:     Greg KH <gregkh@...uxfoundation.org>,
        Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
Cc:     stable@...r.kernel.org, joe@...ches.com, blamoreaux@...are.com,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 4.14.y] drivers core: Use sysfs_emit and sysfs_emit_at for
 show(device *...) functions


On 07/10/2023 13:21, Greg KH wrote:
> On Fri, Sep 22, 2023 at 05:14:54AM -0700, Harshit Mogalapalli wrote:
>> Signed-off-by: Joe Perches <joe@...ches.com>
>> Link: https://lore.kernel.org/r/3d033c33056d88bbe34d4ddb62afd05ee166ab9a.1600285923.git.joe@perches.com
>> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
>> [Harshit: backport to 4.14.y -- regenerated the diff with the help of
>> coccinelle script in driver/base/ directory.]
>> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
>> ---
>> Only compile tested. This fixes CVE-2022-20166.
>> It is not clear whether the CVE was assigned for a demonstrated issue
>> or just a theoretical one. In any case it's a good defensive measure
>> against future patches that may introduce a real issue if they assume
>> this patch is already there.
> 
> This is not needed in this kernel tree, so why are you attempting to add
> it?
> 
> And if you have questions about a CVE, as the entity that gave the cve
> out, they are responsible for it, not us!

We weren't sure where exactly the issue was, but figured the more
cautious approach would be to apply the patch regardless -- it does look
correct to me at a glance (doesn't suffer from the issues that Ben
pointed out with another submission, AFAICT).

But point taken, this falls under the "no theoretical issues" stable
submission rule.

Thanks,


Vegard

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ