lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240731143441.GO17473@suse.cz>
Date: Wed, 31 Jul 2024 16:34:42 +0200
From: David Sterba <dsterba@...e.cz>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
	linux-cve-announce@...r.kernel.org
Subject: Re: CVE-2024-41067: btrfs: scrub: handle RST lookup error correctly

On Tue, Jul 30, 2024 at 06:53:40AM +0200, Greg Kroah-Hartman wrote:
> > > The Linux kernel CVE team has assigned CVE-2024-41067 to this issue.
> > 
> > Please drop the CVE. It's a fix for feature that's still in development
> > and is not enabled on production kernels (requires CONFIG_BTRFS_DEBUG).
> 
> We do not know people's use case, and can not "gate" CVE ids based on
> difference config options like this.

The use case are early adopters for a known unfinished feature where
instabilty could happen and there are known problems like lockups.  It's
behind the config option for that purpose so bugs are reported but don't
have to be treated as security.

> > There was even a recent on-disk format change (mkfs required), this is
> > not really for environments where security matters. Thanks.
> 
> It's a fix for a vulnerability, so I think it should stay assigned.  If
> your system does not enable that config option, then there is nothing to
> worry about, right?

It's not a vulnerability unless you define that very extensively. My
systems don't enable that, distro kernels don't enable that, so there's
nothing to worry about. Conclusiion is not to assign a CVE, right.
Otherwise it only increases paperwork.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ