lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2024022129-expiring-resurface-146c@gregkh>
Date: Wed, 21 Feb 2024 19:21:49 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Paolo Bonzini <pbonzini@...hat.com>
Cc: Sasha Levin <sashal@...nel.org>, linux-kernel@...r.kernel.org,
	cve@...nel.org, Jiri Kosina <jkosina@...e.cz>
Subject: Re: CVE-2023-52437: Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING
 in raid5d"

On Wed, Feb 21, 2024 at 04:56:31PM +0100, Paolo Bonzini wrote:
> To recap:
> 
> - the CVE description comes from was upstream commit bed9e27baf52
> 
> - neither the CVE mitigation section nor the mentioned kernel releases
> fix the bug mentioned in the upstream commit, because the mitigation
> section also includes commits that _revert_ commit bed9e27baf52
> 
> - this second revert is not mentioned anywhere, so the CVE description
> is at best misleading; or perhaps more accurately described as
> "completely f***ed up".
> 
> I'm sure it's just a bug in the scripts, but it's worrisome that you
> don't acknowledge this.

Yes, this is a bug in the scripts, but it wasn't obvious what you were
objecting to here honestly.  Reverts were not anything I tested the
scripts with before now, and I'm sure there are going to be more cases
that fail in odd ways too.  We'll fix them when they show up, that's the
best we can do.

I'll look at it tomorrow and try to figure it out, if nothing else, I'll
just manually update the json record and push the update to cve.org as
that's the "canonical" record here.  The json files will be updated over
time as new releases happen and patches flow backwards, so they will be
updated, but for now, sending out new email messages all the time would
be a mess.

However in this case, I'll fix it up and send out a new announcement as
obviously it's wrong in places.

If you want to replace the wording in the description here with anything
else better, PLEASE let us know and we will be glad to do so.

That's the benifit of being a CNA, we can ACTUALLY MODIFY the CVE
records, previously it was almost impossible to ever do so.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ