On Fri, 2019-06-07 at 10:41 +0800, Gen Zhang wrote:
On Thu, Jun 06, 2019 at 07:58:35PM +0100, Ben Hutchings wrote:
On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote:
Hello,
CVE-2019-12381 was fixed in the upstream linux kernel with the commit :-
- 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ?
Tests run:
- Chrome OS tryjobs
This doesn't fix a security vulnerability. There already was a check for allocation failure before dereferencing the returned pointer; it just wasn't in the most obvious place.
I've requested rejection of this CVE, and several other invalid reports from the same person.
And where did this 'invalid' come from? Did any maintainers claimed the patch 'invalid' or something? I am confused...
I'm not saying the patch is invalid. It makes the code clearer and seems to result in returning a more appropriate error code. So I don't disagree with the patch, only the claim that it's fixing a security issue.
My requests to reject the CVE assignments were made using MITRE's web form.
Ben.