oss-sec mailing list archives
Re: CVE request - Linux kernel: VFAT slab-based buffer overflow
From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Thu, 28 Feb 2013 00:00:27 +0100
On Wed, Feb 27, 2013 at 10:44 PM, Greg KH <greg () kroah com> wrote:
That's the whole problem here, who is going to do such a classification, and after that, the notification? The first part is the toughest to do, as discussed elsewhere in this thread.
May I just bluntly call out shenanigans here? Yes, some bugs are esoteric and it's not immediately obvious that they are security related. But there are so many bugs that are _clearly_ security-related. Kernel developers are super smart -- some of the brightest guys out there. When you're committing a fix for a use-after-free, or an array indexing error, or something clearly security-related, the claim, "well I'm not really a big security bug classifier sort of guy..." just doesn't ring honest. You all are super smart; it takes your brain less than a single cycle to realize this or that memory corruption can lead to priv escalation. I admit there are some bugs where it's not so obvious, but for so many cases, the classification step can be done by many diverse kernel devs.
Current thread:
- Re: handling of Linux kernel vulnerabilities (was: CVE request - Linux kernel: VFAT slab-based buffer overflow), (continued)
- Re: handling of Linux kernel vulnerabilities (was: CVE request - Linux kernel: VFAT slab-based buffer overflow) Greg KH (Mar 04)
- Re: handling of Linux kernel vulnerabilities Kurt Seifried (Mar 04)
- Re: handling of Linux kernel vulnerabilities Solar Designer (Mar 04)
- Re: handling of Linux kernel vulnerabilities Noel Butler (Mar 05)
- Re: handling of Linux kernel vulnerabilities Solar Designer (Mar 05)
- Re: handling of Linux kernel vulnerabilities Alton Moore (Mar 05)
- Re: handling of Linux kernel vulnerabilities (was: CVE request - Linux kernel: VFAT slab-based buffer overflow) Eric Lacombe (Mar 05)
- Re: handling of Linux kernel vulnerabilities Andreas Ericsson (Mar 04)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Yves-Alexis Perez (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Greg KH (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Jason A. Donenfeld (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Greg KH (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Jason A. Donenfeld (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Kurt Seifried (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Jiri Kosina (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Daniel Kahn Gillmor (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Jason A. Donenfeld (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Yves-Alexis Perez (Mar 01)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Jason A. Donenfeld (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Greg KH (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Tim (Feb 27)