On Fri, 2019-06-07 at 10:41 +0800, Gen Zhang wrote: > On Thu, Jun 06, 2019 at 07:58:35PM +0100, Ben Hutchings wrote: > > On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote: > > > Hello, > > > > > > CVE-2019-12381 was fixed in the upstream linux kernel with the commit :- > > > * 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") > > > > > > Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ? > > > > > > Tests run: > > > * Chrome OS tryjobs > > > > This doesn't fix a security vulnerability. There already was a check > > for allocation failure before dereferencing the returned pointer; it > > just wasn't in the most obvious place. > > > > I've requested rejection of this CVE, and several other invalid reports > > from the same person. > And where did this 'invalid' come from? Did any maintainers claimed the > patch 'invalid' or something? I am confused... I'm not saying the patch is invalid. It makes the code clearer and seems to result in returning a more appropriate error code. So I don't disagree with the patch, only the claim that it's fixing a security issue. My requests to reject the CVE assignments were made using MITRE's web form. Ben. -- Ben Hutchings Life would be so much easier if we could look at the source code.
Attachment:
signature.asc
Description: This is a digitally signed message part