lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2025093058-iciness-talisman-8a9f@gregkh>
Date: Tue, 30 Sep 2025 13:22:30 +0200
From: "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>
To: Siddh Raman Pant <siddh.raman.pant@...cle.com>
Cc: "cve@...nel.org" <cve@...nel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: CVE-2025-38495: HID: core: ensure the allocated report buffer
 can contain the reserved report ID

On Tue, Sep 30, 2025 at 11:09:50AM +0000, Siddh Raman Pant wrote:
> On Tue, Sep 30 2025 at 16:29:03 +0530, gregkh@...uxfoundation.org
> wrote:
> > Then the second change is the one that gets the CVE.  Any "previous"
> > commits in a series that were preparing for the real fix are not called
> > out.  As each CVE entry says, do NOT cherry-pick, but rather always take
> > all of the commits in the stable release.
> 
> IMO it won't be nice to change an identifier now and a new ID should be
> assigned instead.

I do not understand.  We are not going to change anything here...

Let's start over.  Is the CVE referenced here in the Subject line, and
the git id it references not valid?  Does it not fix a vulnerability as
described?  Is there some other commit that also fixes a vulnerability
that should also be assigned to a new CVE?  Or is something else wrong
here?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ