oss-sec mailing list archives

Re: CVE request - Linux kernel: VFAT slab-based buffer overflow

From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Thu, 28 Feb 2013 00:00:27 +0100

On Wed, Feb 27, 2013 at 10:44 PM, Greg KH <greg () kroah com> wrote:

That's the whole problem here, who is going to do such a classification,
and after that, the notification?  The first part is the toughest to do,
as discussed elsewhere in this thread.


May I just bluntly call out shenanigans here? Yes, some bugs are
esoteric and it's not immediately obvious that they are security
related. But there are so many bugs that are _clearly_
security-related. Kernel developers are super smart -- some of the
brightest guys out there. When you're committing a fix for a
use-after-free, or an array indexing error, or something clearly
security-related, the claim, "well I'm not really a big security bug
classifier sort of guy..." just doesn't ring honest. You all are super
smart; it takes your brain less than a single cycle to realize this or
that memory corruption can lead to priv escalation. I admit there are
some bugs where it's not so obvious, but for so many cases, the
classification step can be done by many diverse kernel devs.

Current thread:

Re: handling of Linux kernel vulnerabilities (was: CVE request - Linux kernel: VFAT slab-based buffer overflow), (continued)
- - - Re: handling of Linux kernel vulnerabilities (was: CVE request - Linux kernel: VFAT slab-based buffer overflow) Greg KH (Mar 04)
    - Re: handling of Linux kernel vulnerabilities Kurt Seifried (Mar 04)
    - Re: handling of Linux kernel vulnerabilities Solar Designer (Mar 04)
    - Re: handling of Linux kernel vulnerabilities Noel Butler (Mar 05)
    - Re: handling of Linux kernel vulnerabilities Solar Designer (Mar 05)
    - Re: handling of Linux kernel vulnerabilities Alton Moore (Mar 05)
    - Re: handling of Linux kernel vulnerabilities (was: CVE request - Linux kernel: VFAT slab-based buffer overflow) Eric Lacombe (Mar 05)
    - Re: handling of Linux kernel vulnerabilities Andreas Ericsson (Mar 04)
    - Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Yves-Alexis Perez (Feb 27)
    - Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Greg KH (Feb 27)
    - Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Jason A. Donenfeld (Feb 27)
    - Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Greg KH (Feb 27)
    - Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Jason A. Donenfeld (Feb 27)
    - Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Kurt Seifried (Feb 27)
    - Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Jiri Kosina (Feb 27)
    - Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Daniel Kahn Gillmor (Feb 27)
    - Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Jason A. Donenfeld (Feb 27)
    - Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Yves-Alexis Perez (Mar 01)
    - Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Jason A. Donenfeld (Feb 27)
    - Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Greg KH (Feb 27)
    - Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Tim (Feb 27)

(Thread continues...)