Re: Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Dec 3, 2018 at 4:26 PM Sasha Levin <sashal@xxxxxxxxxx> wrote:
>
> + Ben
>
> On Mon, Dec 03, 2018 at 12:09:25PM +0100, Ilya Dryomov wrote:
> >On Sun, Dec 2, 2018 at 4:51 PM Sasha Levin <sashal@xxxxxxxxxx> wrote:
> >>
> >> This is a note to let you know that I've just added the patch titled
> >>
> >>     libceph: implement CEPHX_V2 calculation mode
> >>
> >> to the 4.14-stable tree which can be found at:
> >>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> >>
> >> The filename of the patch is:
> >>      libceph-implement-cephx_v2-calculation-mode.patch
> >> and it can be found in the queue-4.14 subdirectory.
> >>
> >> If you, or anyone else, feels it should not be added to the stable tree,
> >> please let <stable@xxxxxxxxxxxxxxx> know about it.
> >>
> >>
> >>
> >> commit 14735e0afb6ed378becd0dedf37d1e5ddfa12084
> >> Author: Ilya Dryomov <idryomov@xxxxxxxxx>
> >> Date:   Fri Jul 27 19:25:32 2018 +0200
> >>
> >>     libceph: implement CEPHX_V2 calculation mode
> >>
> >>     commit cc255c76c70f7a87d97939621eae04b600d9f4a1 upstream.
> >>
> >>     Derive the signature from the entire buffer (both AES cipher blocks)
> >>     instead of using just the first half of the first block, leaving out
> >>     data_crc entirely.
> >>
> >>     This addresses CVE-2018-1129.
> >>
> >>     Link: http://tracker.ceph.com/issues/24837
> >>     Signed-off-by: Ilya Dryomov <idryomov@xxxxxxxxx>
> >>     Reviewed-by: Sage Weil <sage@xxxxxxxxxx>
> >>     Signed-off-by: Ben Hutchings <ben.hutchings@xxxxxxxxxxxxxxx>
> >>     Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> >
> >Hi Sasha,
> >
> >The CVEs mentioned in this series are server side and CEPHX_V2 is
> >probably more of a new feature than a security fix.  That said, I don't
> >object to including it in 4.14.z.  If you do, please pick up the
> >remaining two patches for interoperability:
> >
> >f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply()
> >130f52f2b203 libceph: check authorizer reply/challenge length before reading
>
> Would I be pulling this patch if it didn't have the string
> "CVE-2018-1129" in the commit message?

Well, I didn't mark this series for stable, so probably not.

Thanks,

                Ilya



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux