oss-sec mailing list archives
Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver
From: Brad Spengler <spender () grsecurity net>
Date: Tue, 14 Nov 2017 07:32:28 -0500
Hi Greg, We're all aware of your objection, you bring it up every time anyone mentions Linux kernel security on this list. However, please remember that all the people contributing on this list are taking on the responsiblity you and the majority of other upstream developers have abdicated. We get it, every time there's some bug mentioned on here that you've already fixed, you want the entire world to know. Only you apparently don't want the world to know about the bug at any time before then. Vladis' original mail made it clear the bug was already fixed with the included upstream fix link, so your follow-up was unnecessary. As I've already demonstrated many times, there are plenty of vulnerabilities you haven't fixed. The reason for that is largely due to the lack of coordinated recognition of security flaws which comes from the very top of leadership. Another is probably that there are just so many flaws, and it's simply an accepted externality of the Linux development process. If you truly believe there is no uniqueness to security bugs, I would advise you to shut down security () kernel org. I would also ask that you come up with a better solution to the problem than demanding people run the latest version of Linux. According to my current records someone taking that advice would be exposed to a bug that can brick systems that seems nowhere close to resolution, and one that makes it impossible to run KVM guests on AMD (which went unfixed for 3 months, and the current fix isn't cc'd for stable -- makes me wonder how much testing -rc really gets). You might want to focus your time on getting your own house in order instead of constantly pestering the people on this list -- we work in the trenches and aren't swayed by nonsense arguments that have no viable solution attached. Thanks, -Brad On Tue, Nov 14, 2017 at 08:37:20AM +0100, Greg KH wrote:
On Mon, Nov 13, 2017 at 07:42:27PM -0500, David A. Wheeler wrote:On Mon, 13 Nov 2017 16:15:24 +0100, Greg KH <greg () kroah com> wrote:It's the arbitrarily nature here that I am curious about, it feels like it should be "all or nothing", for CVEs to mean much here. Right now it seems like it is just, "all that we care to track"? :)"All" would be awesome, though unlikely. But even if that's the eventual goal, "good starts" are still good starts.But really, this isn't even a "good start", it's identifying a bug fixed over a year ago for a kernel that only one company seems to care about because they are _not_ following the recommended upstream stable kernel patches because they "know better" :) That's my objection here. thanks, greg k-h
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver, (continued)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Maier, Kurt H (Nov 07)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 08)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver David A. Wheeler (Nov 09)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Stiepan (Nov 10)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Amos Jeffries (Nov 11)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Stuart Gathman (Nov 11)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Maier, Kurt H (Nov 07)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Vladis Dronov (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver David A. Wheeler (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Brad Spengler (Nov 14)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Eddie Chapman (Nov 14)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Maier, Kurt H (Nov 14)