lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 27 Jun 2024 12:38:43 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Paolo Abeni <pabeni@...hat.com>
Cc: Linus Torvalds <torvalds@...uxfoundation.org>,
	netfilter-devel@...r.kernel.org, davem@...emloft.net,
	netdev@...r.kernel.org, kuba@...nel.org, edumazet@...gle.com,
	fw@...len.de
Subject: Re: [PATCH net 2/2] netfilter: nf_tables: fully validate
 NFT_DATA_VALUE on store to data registers

On Thu, Jun 27, 2024 at 12:29:20PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jun 27, 2024 at 12:26:49PM +0200, Paolo Abeni wrote:
> > Hi,
> > On Thu, 2024-06-27 at 03:13 +0200, Pablo Neira Ayuso wrote:
> > > On Wed, Jun 26, 2024 at 05:51:13PM -0700, Linus Torvalds wrote:
> > > > On Wed, 26 Jun 2024 at 16:38, Pablo Neira Ayuso <pablo@...filter.org> wrote:
> > > > > 
> > > > > Reported-by: Linus Torvalds <torvalds@...uxfoundation.org>
> > > > 
> > > > Oh, I was only the messenger boy, not the actual reporter.
> > > > 
> > > > I think reporting credit should probably go to HexRabbit Chen
> > > > <hexrabbit@...co.re>
> > > 
> > > I would not have really know if you don't tell me TBH, else it would
> > > have taken even longer for me to react and fix it. Because they did
> > > not really contact me to report this issue this time.
> > > 
> > > But if you insist, I will do so.
> > 
> > I'm sorry for the late reply.
> > 
> > I guess the most fair option would be adding both tags.

"Fair option" maybe sounds too strong in this case, that email which
reported this pointer leak to userspace through ZDI did not even
report this issue to us in first place...

Linus was so kind to attract my attention on this, I appreciate he
contacted me.

Could you append this text to the pull request message:

Linus found this pointer leak to userspace via zdi-disclosures@ and
forwarded the notice to Netfilter maintainers, he appears as reporter
because whoever found this issue never approached Netfilter
maintainers neither via security@ nor in private.

If still not acceptable, I am fine to send a new PR and miss this
round of fixes.

Thanks Paolo.

> > With a repost, this will not make it into todays PR, I hope it's not a
> > problem.
> 
> It is a addressing a public issue, the reporter decided to follow a
> different channel other than security@ for whatever reason.
> 
> I'd prefer if you can take it in this round.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ