| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d1cb0cd3-0826-48fc-8713-8648d6eb9fd7@kernel.dk> Date: Fri, 24 May 2024 10:57:07 -0600 From: Jens Axboe <axboe@...nel.dk> To: Gabriel Krisman Bertazi <krisman@...e.de>, Greg Kroah-Hartman <gregkh@...uxfoundation.org> Cc: linux-cve-announce@...r.kernel.org, cve@...nel.org, linux-kernel@...r.kernel.org Subject: Re: CVE-2023-52656: io_uring: drop any code related to SCM_RIGHTS On 5/24/24 10:45 AM, Gabriel Krisman Bertazi wrote: > Greg Kroah-Hartman <gregkh@...uxfoundation.org> writes: > >> Description >> =========== >> >> In the Linux kernel, the following vulnerability has been resolved: >> >> io_uring: drop any code related to SCM_RIGHTS >> >> This is dead code after we dropped support for passing io_uring fds >> over SCM_RIGHTS, get rid of it. >> >> The Linux kernel CVE team has assigned CVE-2023-52656 to this issue. > > Hello Greg, > > [+Jens in Cc] > > This is stable material, but doesn't deserve CVE status. There is > nothing exploitable that is fixed here. Instead, this commit is dropping > unreachable code after the removal of a feature, following another CVE > report. Doing the clean up in the original patch would have made the > real security fix harder to review. > > The real issue was reported as CVE-2023-52654 and handled by a different > commit. FWIW, the same is true for a number of other commits recently. They are nowhere near CVE material, it's just generic bug fixes. -- Jens Axboe
Powered by blists - more mailing lists