On Thu, Apr 07, 2022 at 12:40:51PM +0200, achtol wrote: > Hello, > > It seems the fix commits for a couple of CVEs have not been cherry picked in > the current linux-5.4.y branch (v5.4.188, currently): > > --- > > CVE-2020-16120: > > <https://nvd.nist.gov/vuln/detail/CVE-2020-16120> references the following > mainline commits: > > d1d04ef8572bc8c22265057bd3d5a79f223f8f52 "ovl: stack file ops" (break > commit) > 56230d956739b9cb1cbde439d76227d77979a04d "ovl: verify permissions in > ovl_path_open()" > 48bd024b8a40d73ad6b086de2615738da0c7004f "ovl: switch to mounter creds > in readdir" > 05acefb4872dae89e772729efb194af754c877e8 "ovl: check permission to open > real file" > b6650dab404c701d7fe08a108b746542a934da84 "ovl: do not fail because of > O_NOATIME" > > The CVE description says the last commit in the list above fixes a > regression introduced by these two commits: > > 130fdbc3d1f9966dd4230709c30f3768bccd3065 "ovl: pass correct flags for > opening real directory" > 292f902a40c11f043a5ca1305a114da0e523eaa3 "ovl: call secutiry hook in > ovl_real_ioctl()" > > --- > > CVE-2021-3428: > > According to <https://bugzilla.suse.com/show_bug.cgi?id=1173485>, the > mainline fix commits are: > > d176b1f62f24 "ext4: handle error of ext4_setup_system_zone() on remount" > bf9a379d0980 "ext4: don't allow overlapping system zones" > ce9f24cccdc0 "ext4: check journal inode extents more carefully" > > Of these, only the first two have been cherry-picked. > > --- > > Half of these commits may be cherry-picked without a conflict. Which half? > I wonder why > they have not been applied and cannot find any discussion about them on this > mailing list. Is it an oversight? Or because the v5.4 line is not affected? > Some other reason? If you can provide a working set of patches backported, I will be glad to review them and apply them if needed. thanks, greg k-h
