Re: [PATCH] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Le 2018-12-17 22:05, Greg KH a écrit :

On Mon, Dec 17, 2018 at 08:42:38PM +0100, Loic wrote:

Le 2018-12-17 09:19, Greg KH a écrit :
> On Sun, Dec 16, 2018 at 09:08:20PM +0100, Loic wrote:
> > Le 2018-12-16 20:27, Steven Rostedt a écrit :
> > > On Sun, 16 Dec 2018 09:52:33 +0100
> > > Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> > >
> > > > On Sat, Dec 15, 2018 at 06:25:37PM +0100, Loic wrote:
> > > > > Hello,
> > > > >
> > > > > Please picked up this patch for linux 4.4 and 4.9.
> > > > > This fixes CVE-2017-0605 (Rejected?). Tested in Debian ;)
> > > >
> > > > It was rejected as a CVE for a good reason, and that reason is also
> > > > why
> > > > I refused to add it to the stable kernel releases.  In short, this is
> > > > not an issue or bug at all, there is nothing wrong with the existing
> > > > code.
> > > >
> > >
> > > I'm starting to regret that I ever accepted the original patch :-(
> > >
> > > -- Steve
> >
> > Okay, I hadn't looked at the previous conversations because this
> > change is
> > in the upstream and in debian...
>
> Upstream is fine, it's a valid change so that people don't keep sending
> the crazy patch over and over.
>
> Debian is just cargo-culting the thing and should probably drop it as it
> keeps coming back to me every 3 months or so, and I have to reject it
> again :(
>
> thanks,
>
> greg k-h
Why didn't you follow the upstream or add a comment "no change for fake 
CVE-2017-0605" to break the debian patch ?


How can I change upstream?  The commit can not be changed once it is
merged.

greg k-h


Sorry for my English.
No, I wanted to say a comment in stable to prevent this patch from being easily applied without reading the "fake CVE" comment. 
This avoids some upstream commit arriving on stable.

Sorry for the waste of time. Thank you.


I was always sceptical about this CVE and commented to that effect in
<https://salsa.debian.org/kernel-team/kernel-sec/raw/master/retired/CVE-2017-0605>.
But the upstream "fix" also looked safe to apply just in case there was
something I was missing...

As it's causing confusion I can drop the patch from Debian now.

Ben.


Thank you very much.

--
Best regards,

Loic
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux