Hello,
CVE-2019-12381 was fixed in the upstream linux kernel with the commit :- * 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ?
Tests run: * Chrome OS tryjobs
Thanks, - Zubin
On Mon, Jun 03, 2019 at 04:02:40PM -0700, Zubin Mithra wrote:
Hello,
CVE-2019-12381 was fixed in the upstream linux kernel with the commit :-
- 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ?
Same comments here as on the ipv6 bug.
Should I just go create CVEs for every single stable kernel patches?
Actually, it's been often suggested that I should, just to drive the point home...
thanks,
greg k-h
On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote:
Hello,
CVE-2019-12381 was fixed in the upstream linux kernel with the commit :-
- 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ?
Tests run:
- Chrome OS tryjobs
This doesn't fix a security vulnerability. There already was a check for allocation failure before dereferencing the returned pointer; it just wasn't in the most obvious place.
I've requested rejection of this CVE, and several other invalid reports from the same person.
Ben.
On Thu, Jun 06, 2019 at 07:58:35PM +0100, Ben Hutchings wrote:
On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote:
Hello,
CVE-2019-12381 was fixed in the upstream linux kernel with the commit :-
- 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ?
Tests run:
- Chrome OS tryjobs
This doesn't fix a security vulnerability. There already was a check for allocation failure before dereferencing the returned pointer; it just wasn't in the most obvious place.
I've discussing this with others these days. You mean the check if (!new_ra)? I don't think this check is for allocation failure. Because 'new_ra' is NULL when 'on' is zero. The check should be if (on && !new_ra) if it is for memory allocation failure.
I've requested rejection of this CVE, and several other invalid reports from the same person.
I think I should be in the CC list. Should I?
Thanks Gen
Ben.
-- Ben Hutchings Experience is what causes a person to make new mistakes instead of old ones.
On Thu, Jun 06, 2019 at 07:58:35PM +0100, Ben Hutchings wrote:
On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote:
Hello,
CVE-2019-12381 was fixed in the upstream linux kernel with the commit :-
- 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ?
Tests run:
- Chrome OS tryjobs
This doesn't fix a security vulnerability. There already was a check for allocation failure before dereferencing the returned pointer; it just wasn't in the most obvious place.
I've requested rejection of this CVE, and several other invalid reports from the same person.
And where did this 'invalid' come from? Did any maintainers claimed the patch 'invalid' or something? I am confused...
Thanks Gen
Ben.
-- Ben Hutchings Experience is what causes a person to make new mistakes instead of old ones.
On Fri, 2019-06-07 at 10:41 +0800, Gen Zhang wrote:
On Thu, Jun 06, 2019 at 07:58:35PM +0100, Ben Hutchings wrote:
On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote:
Hello,
CVE-2019-12381 was fixed in the upstream linux kernel with the commit :-
- 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ?
Tests run:
- Chrome OS tryjobs
This doesn't fix a security vulnerability. There already was a check for allocation failure before dereferencing the returned pointer; it just wasn't in the most obvious place.
I've requested rejection of this CVE, and several other invalid reports from the same person.
And where did this 'invalid' come from? Did any maintainers claimed the patch 'invalid' or something? I am confused...
I'm not saying the patch is invalid. It makes the code clearer and seems to result in returning a more appropriate error code. So I don't disagree with the patch, only the claim that it's fixing a security issue.
My requests to reject the CVE assignments were made using MITRE's web form.
Ben.
On Fri, Jun 07, 2019 at 02:02:09PM +0100, Ben Hutchings wrote:
On Fri, 2019-06-07 at 10:41 +0800, Gen Zhang wrote:
On Thu, Jun 06, 2019 at 07:58:35PM +0100, Ben Hutchings wrote:
On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote:
Hello,
CVE-2019-12381 was fixed in the upstream linux kernel with the commit :-
- 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ?
Tests run:
- Chrome OS tryjobs
This doesn't fix a security vulnerability. There already was a check for allocation failure before dereferencing the returned pointer; it just wasn't in the most obvious place.
I've requested rejection of this CVE, and several other invalid reports from the same person.
And where did this 'invalid' come from? Did any maintainers claimed the patch 'invalid' or something? I am confused...
I'm not saying the patch is invalid. It makes the code clearer and seems to result in returning a more appropriate error code. So I don't disagree with the patch, only the claim that it's fixing a security issue.
My requests to reject the CVE assignments were made using MITRE's web form.
Well, I see. Thanks for your comments.
Thanks Gen
Ben.
-- Ben Hutchings Life would be so much easier if we could look at the source code.
linux-stable-mirror@lists.linaro.org
-
Ben Hutchings -
Gen Zhang -
Greg KH -
Zubin Mithra