[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Zn1BM1ltv1fTSQkj@calendula>
Date: Thu, 27 Jun 2024 12:38:43 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Paolo Abeni <pabeni@...hat.com>
Cc: Linus Torvalds <torvalds@...uxfoundation.org>,
netfilter-devel@...r.kernel.org, davem@...emloft.net,
netdev@...r.kernel.org, kuba@...nel.org, edumazet@...gle.com,
fw@...len.de
Subject: Re: [PATCH net 2/2] netfilter: nf_tables: fully validate
NFT_DATA_VALUE on store to data registers
On Thu, Jun 27, 2024 at 12:29:20PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jun 27, 2024 at 12:26:49PM +0200, Paolo Abeni wrote:
> > Hi,
> > On Thu, 2024-06-27 at 03:13 +0200, Pablo Neira Ayuso wrote:
> > > On Wed, Jun 26, 2024 at 05:51:13PM -0700, Linus Torvalds wrote:
> > > > On Wed, 26 Jun 2024 at 16:38, Pablo Neira Ayuso <pablo@...filter.org> wrote:
> > > > >
> > > > > Reported-by: Linus Torvalds <torvalds@...uxfoundation.org>
> > > >
> > > > Oh, I was only the messenger boy, not the actual reporter.
> > > >
> > > > I think reporting credit should probably go to HexRabbit Chen
> > > > <hexrabbit@...co.re>
> > >
> > > I would not have really know if you don't tell me TBH, else it would
> > > have taken even longer for me to react and fix it. Because they did
> > > not really contact me to report this issue this time.
> > >
> > > But if you insist, I will do so.
> >
> > I'm sorry for the late reply.
> >
> > I guess the most fair option would be adding both tags.
"Fair option" maybe sounds too strong in this case, that email which
reported this pointer leak to userspace through ZDI did not even
report this issue to us in first place...
Linus was so kind to attract my attention on this, I appreciate he
contacted me.
Could you append this text to the pull request message:
Linus found this pointer leak to userspace via zdi-disclosures@ and
forwarded the notice to Netfilter maintainers, he appears as reporter
because whoever found this issue never approached Netfilter
maintainers neither via security@ nor in private.
If still not acceptable, I am fine to send a new PR and miss this
round of fixes.
Thanks Paolo.
> > With a repost, this will not make it into todays PR, I hope it's not a
> > problem.
>
> It is a addressing a public issue, the reporter decided to follow a
> different channel other than security@ for whatever reason.
>
> I'd prefer if you can take it in this round.
Powered by blists - more mailing lists