| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025093001-petted-boney-29c2@gregkh> Date: Tue, 30 Sep 2025 12:59:03 +0200 From: "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org> To: Siddh Raman Pant <siddh.raman.pant@...cle.com> Cc: "cve@...nel.org" <cve@...nel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: CVE-2025-38495: HID: core: ensure the allocated report buffer can contain the reserved report ID On Tue, Sep 30, 2025 at 10:54:06AM +0000, Siddh Raman Pant wrote: > On Tue, Sep 30 2025 at 16:19:44 +0530, gregkh@...uxfoundation.org > wrote: > > What git id is that? > > 0d0777ccaa2d46609d05b66ba0096802a2746193 That commit id on its own does not "fix" anything that we can see, which is why it was not given a CVE. > > And this commit on its own fixes a problem, so it should be a separate > > CVE, right? > > The reservation of 1st byte happens in the next commit. > > Not sure why the change was broken up into two. Then the second change is the one that gets the CVE. Any "previous" commits in a series that were preparing for the real fix are not called out. As each CVE entry says, do NOT cherry-pick, but rather always take all of the commits in the stable release. thanks, greg k-h
Powered by blists - more mailing lists