On Thu, Dec 10, 2015 at 04:15:22PM +0100, Alexander Holler wrote: > Am 10.12.2015 um 10:23 schrieb Alexander Holler: > >Am 12.11.2015 um 12:38 schrieb David Howells: > >>This fixes CVE-2015-5327. It affects kernels from 4.3-rc1 onwards. > >> > >>Fix the X.509 time validation to use month number-1 when looking up the > >>number of days in that month. Also put the month number validation > >>before > >>doing the lookup so as not to risk overrunning the array. > > > >I've just run into this with 4.3.1 (mon_len ended up with 0 because of > >the wrong index). Which means currently build stable kernels with > >signature verification might not load modules (depending on which value > >the invalid index mon_len (12) ends up with. > > Just in case of, I would suggest to quickly push out 4.3.2 (only 4.3 seems > to be affected) which contains at least the patch mentioned in the subject > (58585c1fc301a36625db41ac7078c4dd0a218d84 in mainline). 58585c1fc301a36625db41ac7078c4dd0a218d84 doesn't reference anything in Linus's tree, where did you get that git commit id? David, any reason you didn't put a cc: stable in the commit for it to be picked up in the stable releases? thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html