On Thu, Apr 07, 2022 at 01:21:02PM +0200, Greg KH wrote: > On Thu, Apr 07, 2022 at 12:40:51PM +0200, achtol wrote: > > Hello, > > > > It seems the fix commits for a couple of CVEs have not been cherry picked in > > the current linux-5.4.y branch (v5.4.188, currently): > > > > --- > > > > CVE-2020-16120: > > > > <https://nvd.nist.gov/vuln/detail/CVE-2020-16120> references the following > > mainline commits: > > > > d1d04ef8572bc8c22265057bd3d5a79f223f8f52 "ovl: stack file ops" (break > > commit) > > 56230d956739b9cb1cbde439d76227d77979a04d "ovl: verify permissions in > > ovl_path_open()" > > 48bd024b8a40d73ad6b086de2615738da0c7004f "ovl: switch to mounter creds > > in readdir" > > 05acefb4872dae89e772729efb194af754c877e8 "ovl: check permission to open > > real file" > > b6650dab404c701d7fe08a108b746542a934da84 "ovl: do not fail because of > > O_NOATIME" > > > > The CVE description says the last commit in the list above fixes a > > regression introduced by these two commits: > > > > 130fdbc3d1f9966dd4230709c30f3768bccd3065 "ovl: pass correct flags for > > opening real directory" > > 292f902a40c11f043a5ca1305a114da0e523eaa3 "ovl: call secutiry hook in > > ovl_real_ioctl()" > > > > --- > > > > CVE-2021-3428: > > > > According to <https://bugzilla.suse.com/show_bug.cgi?id=1173485>, the > > mainline fix commits are: > > > > d176b1f62f24 "ext4: handle error of ext4_setup_system_zone() on remount" > > bf9a379d0980 "ext4: don't allow overlapping system zones" > > ce9f24cccdc0 "ext4: check journal inode extents more carefully" > > > > Of these, only the first two have been cherry-picked. > > > > --- > > > > Half of these commits may be cherry-picked without a conflict. > > Which half? > > > I wonder why > > they have not been applied and cannot find any discussion about them on this > > mailing list. Is it an oversight? Or because the v5.4 line is not affected? > > Some other reason? > > If you can provide a working set of patches backported, I will be glad > to review them and apply them if needed. Given the lack of response here, I am guessing these really are not needed for 5.4 and older so will drop this from my queue. If that is not the case, please send a working set of backports. thanks, greg k-h
