I've backported changes to fix CVE-2018-1120 (denial of service via FUSE-backed /proc/PID/cmdline) in 4.4-stable. See <https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt> for an explanation of the issue. This was already fixed in newer stable branches, but the fix depended on API changes made in 4.9. The API changes are fairly straightforward and should be low risk, so the attached patches include those API changes. I verified that the proof-of-concept no longer works after these changes, and that there were no regressions in the user-copy and vm self-tests. I leave it to you to decide whether it's worthwhile to fix this in 4.4. Ben. -- Ben Hutchings, Software Developer Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom
Attachment:
security-4.4-CVE-2018-1120.mbox
Description: application/mbox
