On Thu, Dec 13, 2018 at 08:24:24PM +0000, Ben Hutchings wrote: > I've backported changes to fix CVE-2018-1120 (denial of service via > FUSE-backed /proc/PID/cmdline) in 4.4-stable. See > <https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt> > for an explanation of the issue. > > This was already fixed in newer stable branches, but the fix depended > on API changes made in 4.9. The API changes are fairly straightforward > and should be low risk, so the attached patches include those API > changes. > > I verified that the proof-of-concept no longer works after these > changes, and that there were no regressions in the user-copy and vm > self-tests. I leave it to you to decide whether it's worthwhile to fix > this in 4.4. Wow, thanks for this, I never expected to see this happen, nice job. All now queued up. greg k-h
