lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250106180916.GI1284777@mit.edu>
Date: Mon, 6 Jan 2025 13:09:16 -0500
From: "Theodore Ts'o" <tytso@....edu>
To: Siddh Raman Pant <siddh.raman.pant@...cle.com>
Cc: "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        cve@...nel.org
Subject: Re: CVE-2024-49967: ext4: no need to continue when the number of
 entries is 1

It looks like this CVE hasn't been revoked yet, at least per
nvd.nist.gov?  Is that the best way to check kernel CVE's status?

Thanks,
					- Ted
					

On Tue, Dec 10, 2024 at 06:08:46AM +0000, Siddh Raman Pant wrote:
> On Mon, Dec 09 2024 at 21:56:23 +0530, Theodore Ts'o wrote:
> > On Mon, Dec 09, 2024 at 02:08:02PM +0100, gregkh@...uxfoundation.org wrote:
> > > Ok, so should it be revoked?
> 
> Yes, as this was an incorrect attempt at fixing CVE-2024-42305.
> 
> > We're not aware of a way of triggering the OOB error, so in that sense
> > the CVE is not valid.  There might be a way that someone might be able
> > to trigger it in the future; in that hypothetical future, there might
> > be some other fix that would address the root cause, but this would be
> > a belt and suspenders thing that might prevent that (hypothetical)
> > future.  So in that sense, it is highly commended that enterprise
> > distros and people who are not following the LTS kernels take this
> > patch.  But is it actually fixing a known vulnerability today?  Not
> > that we know of.
> > 
> > Cheers,
> > 
> > 						- Ted
> > 
> > P.S.  If some security researcher wants to find such a way, to educate
> > people on why using LTS kernels is superior, they should feel free to
> > consider this a challenge.  :-P
> 
> I agree.
> 
> Thanks,
> Siddh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ