Re: Null-Pointer Deference in hfs.ko (Linux 4.15.0-15.16 Ubuntu)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Apr 18, 2018 at 10:54:21AM -0700, Eric Biggers wrote:
> Also Sergej, I know that you want to consider this a "security bug" and report
> it to "security" teams, and maybe even file a CVE number.  But the reality is
> that NULL pointer dereferences rarely have much security impact, and many
> "security" teams seem to be wasting so much time with such bugs that they are
> ignoring bugs with actual security impact, like the 34 use-after-free bugs that
> are currently open in the syzbot dashbard.  So IMO, going through the full
> security circus on NULL pointer dereferences is actually detriminal to security.
> (Though, they still need to be fixed of course!)

I don't think this really needs to be fixed.  I think the security bug
is that Ubuntu have configured their system in such a way that it will
attempt to automount an HFS filesystem on a USB key.  By going through
FUSE or some other userspace filesystem, the security risk would be
eliminated.

Is it time to start moving unmaintained obsolescent filesystems with
few remaining users into staging?  ... Hey, that sounds like a good
topic for next week!



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux