| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024073029-clerk-trophy-b84c@gregkh> Date: Tue, 30 Jul 2024 06:56:42 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: Kees Cook <kees@...nel.org> Cc: Michal Koutný <mkoutny@...e.com>, cve@...nel.org, linux-kernel@...r.kernel.org, linux-cve-announce@...r.kernel.org Subject: Re: CVE-2024-35918: randomize_kstack: Improve entropy diffusion On Mon, Jul 29, 2024 at 05:15:52PM -0700, Kees Cook wrote: > On Mon, Jul 29, 2024 at 04:35:52PM +0200, Michal Koutný wrote: > > On Sat, Jul 27, 2024 at 09:34:18AM GMT, Greg Kroah-Hartman <gregkh@...uxfoundation.org> wrote: > > > We assigned a CVE to 9c573cd313433 as it was implied by many that this > > > was "fixing a weakness" in the security feature in 39218ff4c625d. If > > > this is not the case, then we can revoke this CVE. > > > > If 9c573cd313433 (fixup) is fixing a weakness of too few bits in stack offset > > randomization, then 39218ff4c625d (feature) is fixing such a weakness too. > > > > Or equivalently, if 39218ff4c625d is not fixing a weakness of too few > > bits in stack offset randomization, then 9c573cd313433 is not fixing it > > neither. > > > > By this reasoning I'd be for stripping this CVE. Both patches would thus > > be equal. (As suggested by Kees.) > > (Also to avoid going into the rabbit hole of how many bits of > > randomization are enough.) > > Yeah, I think it's best to have neither be a CVE. The CVE has now been rejected, thanks for the review! greg k-h
Powered by blists - more mailing lists