| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+FuTSeHvADR5qbWnzRpYtpvNcvYrAeXAj8LYczUFLKREDwfpQ@mail.gmail.com> Date: Thu, 29 Aug 2024 12:53:34 -0400 From: Willem de Bruijn <willemb@...gle.com> To: Michal Koutný <mkoutny@...e.com> Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, cve@...nel.org, linux-kernel@...r.kernel.org, Tao Liu <thomas.liu@...oud.cn> Subject: Re: CVE-2022-48936: gso: do not skip outer ip header in case of ipip and net_failover On Thu, Aug 29, 2024 at 12:18 PM Michal Koutný <mkoutny@...e.com> wrote: > > On Wed, Aug 28, 2024 at 09:30:08AM GMT, Greg Kroah-Hartman <gregkh@...uxfoundation.org> wrote: > > > What is the security issue here? > > > > This was assigned as part of the import of the Linux kernel GSD entries > > into CVEs as required by the CVE board of directors (hence the 2022 > > date). If you don't feel this should be assigned a CVE, just let me > > know and I will be glad to reject it. > > The address of original author bounces back. Willem, could you please > help explaining context of the change? (~the questions in my previous > message). I don't know why this has a CVE. The patch reports that the negative effect is a drop due to a corrupted packet. According to the CVE report this requires both user input with virtio_net_hdr, which is privileged, and a tunnel device configured, which again is privileged.
Powered by blists - more mailing lists