[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2025093058-iciness-talisman-8a9f@gregkh>
Date: Tue, 30 Sep 2025 13:22:30 +0200
From: "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>
To: Siddh Raman Pant <siddh.raman.pant@...cle.com>
Cc: "cve@...nel.org" <cve@...nel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: CVE-2025-38495: HID: core: ensure the allocated report buffer
can contain the reserved report ID
On Tue, Sep 30, 2025 at 11:09:50AM +0000, Siddh Raman Pant wrote:
> On Tue, Sep 30 2025 at 16:29:03 +0530, gregkh@...uxfoundation.org
> wrote:
> > Then the second change is the one that gets the CVE. Any "previous"
> > commits in a series that were preparing for the real fix are not called
> > out. As each CVE entry says, do NOT cherry-pick, but rather always take
> > all of the commits in the stable release.
>
> IMO it won't be nice to change an identifier now and a new ID should be
> assigned instead.
I do not understand. We are not going to change anything here...
Let's start over. Is the CVE referenced here in the Subject line, and
the git id it references not valid? Does it not fix a vulnerability as
described? Is there some other commit that also fixes a vulnerability
that should also be assigned to a new CVE? Or is something else wrong
here?
thanks,
greg k-h
Powered by blists - more mailing lists