| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024082958-distress-outmatch-ab28@gregkh> Date: Thu, 29 Aug 2024 18:58:31 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: Willem de Bruijn <willemb@...gle.com> Cc: Michal Koutný <mkoutny@...e.com>, cve@...nel.org, linux-kernel@...r.kernel.org, Tao Liu <thomas.liu@...oud.cn> Subject: Re: CVE-2022-48936: gso: do not skip outer ip header in case of ipip and net_failover On Thu, Aug 29, 2024 at 12:53:34PM -0400, Willem de Bruijn wrote: > On Thu, Aug 29, 2024 at 12:18 PM Michal Koutný <mkoutny@...e.com> wrote: > > > > On Wed, Aug 28, 2024 at 09:30:08AM GMT, Greg Kroah-Hartman <gregkh@...uxfoundation.org> wrote: > > > > What is the security issue here? > > > > > > This was assigned as part of the import of the Linux kernel GSD entries > > > into CVEs as required by the CVE board of directors (hence the 2022 > > > date). If you don't feel this should be assigned a CVE, just let me > > > know and I will be glad to reject it. > > > > The address of original author bounces back. Willem, could you please > > help explaining context of the change? (~the questions in my previous > > message). > > I don't know why this has a CVE. > > The patch reports that the negative effect is a drop due to a corrupted packet. > > According to the CVE report this requires both user input with > virtio_net_hdr, which is privileged, and a tunnel device configured, > which again is privileged. > Ok, should it be rejected then? If so, just let me know. thanks, greg k-h
Powered by blists - more mailing lists