oss-sec mailing list archives
Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver
From: Amos Jeffries <squid3 () treenet co nz>
Date: Sat, 11 Nov 2017 16:02:09 +1300
On 10/11/17 06:09, David A. Wheeler wrote:
I agree that many vulnerabilities don't have CVE ids. You don't need to identify *all* vulnerabilities in old kernels... just enough to make it easier to update the kernel than try to back-patch everything. If manufacturers have to fix the CVEs to sell products, or to avoid massive returns, that creates an *economic* reason for manufacturers to begin responsibly maintain their products.
The argument is knee-capped by CVE being slowly and incrementally assigned.The cost of incremental change is nowhere near as visible to vendors. They just patch issues one by one equally as slowly then blame the end users for not upgrading/patching firmware. When the firmware upgrade process itself is shrouded by lots of scary warnings and technical actions that prevent home users doing it.
The stick doesn't work too well with vendors and distributors. Too much greed these days. And that means the carrot works better - we just have to figure out what the best carrot looks like.
AYJ
Current thread:
- CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Vladis Dronov (Nov 07)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 07)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Maier, Kurt H (Nov 07)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 08)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver David A. Wheeler (Nov 09)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Stiepan (Nov 10)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Amos Jeffries (Nov 11)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Stuart Gathman (Nov 11)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Maier, Kurt H (Nov 07)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 07)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Vladis Dronov (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver David A. Wheeler (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Brad Spengler (Nov 14)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Eddie Chapman (Nov 14)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Maier, Kurt H (Nov 14)