Re: Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

On Mon, Dec 03, 2018 at 04:32:18PM +0100, Ilya Dryomov wrote:
> On Mon, Dec 3, 2018 at 4:26 PM Sasha Levin <sashal@xxxxxxxxxx> wrote:
> > + Ben
> >
> > On Mon, Dec 03, 2018 at 12:09:25PM +0100, Ilya Dryomov wrote:
> > >On Sun, Dec 2, 2018 at 4:51 PM Sasha Levin <sashal@xxxxxxxxxx> wrote:
> > >>
> > >> This is a note to let you know that I've just added the patch titled
> > >>
> > >>     libceph: implement CEPHX_V2 calculation mode
> > >>
> > >> to the 4.14-stable tree which can be found at:
> > >>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> > >>
> > >> The filename of the patch is:
> > >>      libceph-implement-cephx_v2-calculation-mode.patch
> > >> and it can be found in the queue-4.14 subdirectory.
> > >>
> > >> If you, or anyone else, feels it should not be added to the stable tree,
> > >> please let <stable@xxxxxxxxxxxxxxx> know about it.
> > >>
> > >>
> > >>
> > >> commit 14735e0afb6ed378becd0dedf37d1e5ddfa12084
> > >> Author: Ilya Dryomov <idryomov@xxxxxxxxx>
> > >> Date:   Fri Jul 27 19:25:32 2018 +0200
> > >>
> > >>     libceph: implement CEPHX_V2 calculation mode
> > >>
> > >>     commit cc255c76c70f7a87d97939621eae04b600d9f4a1 upstream.
> > >>
> > >>     Derive the signature from the entire buffer (both AES cipher blocks)
> > >>     instead of using just the first half of the first block, leaving out
> > >>     data_crc entirely.
> > >>
> > >>     This addresses CVE-2018-1129.
> > >>
> > >>     Link: http://tracker.ceph.com/issues/24837
> > >>     Signed-off-by: Ilya Dryomov <idryomov@xxxxxxxxx>
> > >>     Reviewed-by: Sage Weil <sage@xxxxxxxxxx>
> > >>     Signed-off-by: Ben Hutchings <ben.hutchings@xxxxxxxxxxxxxxx>
> > >>     Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> > >
> > >Hi Sasha,
> > >
> > >The CVEs mentioned in this series are server side and CEPHX_V2 is
> > >probably more of a new feature than a security fix.  That said, I don't
> > >object to including it in 4.14.z.  If you do, please pick up the
> > >remaining two patches for interoperability:
> > >
> > >f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply()
> > >130f52f2b203 libceph: check authorizer reply/challenge length before reading
> >
> > Would I be pulling this patch if it didn't have the string
> > "CVE-2018-1129" in the commit message?
>
> Well, I didn't mark this series for stable, so probably not.

Alrighty, thanks.

Ben, any objections to dropping this patch?

--
Thanks,
Sasha