oss-sec mailing list archives
Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver
From: "Maier, Kurt H" <kurt.maier () pnnl gov>
Date: Tue, 14 Nov 2017 18:21:56 +0000
On Tue, 2017-11-14 at 08:37 +0100, Greg KH wrote:
But really, this isn't even a "good start", it's identifying a bug fixed over a year ago for a kernel that only one company seems to care about because they are _not_ following the recommended upstream stable kernel patches because they "know better" :)
First you objected to a specific bug, then it turned into "do everything or give up," now we're back to a specific bug, and each iteration is more unrealistic "just run whatever we release immediately across all devices" advice. Please, this is not productive. And without rancor, jibes like the "know better" line are basically just trash-talking people who actually run systems for a living and the organizations that provide support and development for those systems. You're welcome to hold them in contempt but your weird persistence in ensuring that contempt is explicitly expressed in every message you post to the list is distracting at best, obnoxious as a baseline, and toxic as a rule. Consider taking it for granted that you're possessed of wisdom unattained by the masses; we've all received this message by now.
That's my objection here.
Your objections are not accompanied by any advice that can be followed by the vast majority of people responsible for linux systems. The rest of us are just trying to do our jobs, and the CVE process is an important tool. Please stop trying to make the kernel immune to CVE reporting without any actual path forward for those of us who need this tool. I want to stress that I don't see a need for kernel maintainers to change their approach in this regard and I have no problem with the policies as they stand. But I am profoundly confused as to why you feel the need to post to oss-sec essentially telling people to pack it in and go home. It's not going to happen unless and until we have an even more reliable and comprehensive method of tracking vulnerabilities in packaged kernels, regardless of the blessed nature of the immacualate LTS. Thanks for your time, khm
Current thread:
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver, (continued)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver David A. Wheeler (Nov 09)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Stiepan (Nov 10)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Amos Jeffries (Nov 11)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Stuart Gathman (Nov 11)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Vladis Dronov (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver David A. Wheeler (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Brad Spengler (Nov 14)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Eddie Chapman (Nov 14)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Maier, Kurt H (Nov 14)