lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <2025090355-impromptu-tragedy-9ff2@gregkh>
Date: Wed, 3 Sep 2025 14:36:03 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Hoyeon Lee <hoyeon.lee@...e.com>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH vulns] add a .vulnerable id for CVE-2025-38608

On Wed, Sep 03, 2025 at 02:41:07PM +0900, Hoyeon Lee wrote:
> The issue depends on bpf_msg_pop_data() helper, which was introduced
> by commit 7246d8ed4dcc ("bpf: helper to pop data from messages"). Fixes
> tag in commit 178f6a5c8cb3 ("bpf, ktls: Fix data corruption when using
> bpf_msg_pop_data() in ktls") incorrectly points to commit d3b18ad31f93
> ("tls: add bpf support to sk_msg handling"), which does not provide this
> helper. For this reason, the introduction of bpf_msg_pop_data() has been
> chosen as the vulnerable point for CVE-2025-38608.
> 
> Signed-off-by: Hoyeon Lee <hoyeon.lee@...e.com>
> ---
>  cve/published/2025/CVE-2025-38608.vulnerable | 1 +
>  1 file changed, 1 insertion(+)
>  create mode 100644 cve/published/2025/CVE-2025-38608.vulnerable
> 
> diff --git a/cve/published/2025/CVE-2025-38608.vulnerable b/cve/published/2025/CVE-2025-38608.vulnerable
> new file mode 100644
> index 000000000..f0336d0ed
> --- /dev/null
> +++ b/cve/published/2025/CVE-2025-38608.vulnerable
> @@ -0,0 +1 @@
> +7246d8ed4dcce23f7509949a77be15fa9f0e3d28
> -- 
> 2.51.0
> 

Looks good, thanks!  Now applied and updated.

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ