Re: 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2019-06-07 at 10:41 +0800, Gen Zhang wrote:
> On Thu, Jun 06, 2019 at 07:58:35PM +0100, Ben Hutchings wrote:
> > On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote:
> > > Hello,
> > > 
> > > CVE-2019-12381 was fixed in the upstream linux kernel with the commit :-
> > > * 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
> > > 
> > > Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ?
> > > 
> > > Tests run:
> > > * Chrome OS tryjobs
> > 
> > This doesn't fix a security vulnerability.  There already was a check
> > for allocation failure before dereferencing the returned pointer; it
> > just wasn't in the most obvious place.
> > 
> > I've requested rejection of this CVE, and several other invalid reports
> > from the same person.
> And where did this 'invalid' come from? Did any maintainers claimed the 
> patch 'invalid' or something? I am confused...

I'm not saying the patch is invalid.  It makes the code clearer and
seems to result in returning a more appropriate error code.  So I don't
disagree with the patch, only the claim that it's fixing a security
issue.

My requests to reject the CVE assignments were made using MITRE's web
form.

Ben.

-- 
Ben Hutchings
Life would be so much easier if we could look at the source code.


Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux