| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025090355-impromptu-tragedy-9ff2@gregkh>
Date: Wed, 3 Sep 2025 14:36:03 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Hoyeon Lee <hoyeon.lee@...e.com>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH vulns] add a .vulnerable id for CVE-2025-38608
On Wed, Sep 03, 2025 at 02:41:07PM +0900, Hoyeon Lee wrote:
> The issue depends on bpf_msg_pop_data() helper, which was introduced
> by commit 7246d8ed4dcc ("bpf: helper to pop data from messages"). Fixes
> tag in commit 178f6a5c8cb3 ("bpf, ktls: Fix data corruption when using
> bpf_msg_pop_data() in ktls") incorrectly points to commit d3b18ad31f93
> ("tls: add bpf support to sk_msg handling"), which does not provide this
> helper. For this reason, the introduction of bpf_msg_pop_data() has been
> chosen as the vulnerable point for CVE-2025-38608.
>
> Signed-off-by: Hoyeon Lee <hoyeon.lee@...e.com>
> ---
> cve/published/2025/CVE-2025-38608.vulnerable | 1 +
> 1 file changed, 1 insertion(+)
> create mode 100644 cve/published/2025/CVE-2025-38608.vulnerable
>
> diff --git a/cve/published/2025/CVE-2025-38608.vulnerable b/cve/published/2025/CVE-2025-38608.vulnerable
> new file mode 100644
> index 000000000..f0336d0ed
> --- /dev/null
> +++ b/cve/published/2025/CVE-2025-38608.vulnerable
> @@ -0,0 +1 @@
> +7246d8ed4dcce23f7509949a77be15fa9f0e3d28
> --
> 2.51.0
>
Looks good, thanks! Now applied and updated.
greg k-h
Powered by blists - more mailing lists