From: Greg KH <gregkh@linuxfoundation.org>
To: Shuah Khan <shuahkh@osg.samsung.com>
Cc: Secunia Research <vuln@secunia.com>,
shuah@kernel.org, valentina.manea.m@gmail.com,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/4] USB over IP Secuurity fixes
Date: Fri, 8 Dec 2017 17:33:38 +0100 [thread overview]
Message-ID: <20171208163338.GA14570@kroah.com> (raw)
In-Reply-To: <9c4234b6-8aed-d6b2-a9a1-be0a05f6d6e4@osg.samsung.com>
On Fri, Dec 08, 2017 at 08:44:58AM -0700, Shuah Khan wrote:
> Hi Jakub,
>
> On 12/08/2017 08:14 AM, Secunia Research wrote:
> > Hi Shuah,
> >
> > Thanks a lot for the quick fixes.
>
> Thanks for finding them and doing all the leg work in
> pin pointing the issues.
>
> >
> > Please, use this email address: vuln@secunia.com
> >
> > We have assigned the following CVEs to the issues:
> > CVE-2017-16911 usbip: prevent vhci_hcd driver from leaking a socket pointer
> > address
> > CVE-2017-16912 usbip: fix stub_rx: get_pipe() to validate endpoint number
> > CVE-2017-16913 usbip: fix stub_rx: harden CMD_SUBMIT path to handle
> > malicious input
> > CVE-2017-16914 usbip: fix stub_send_ret_submit() vulnerability to null
> > transfer_buffer
> >
> > Please, let me know if we should proceed with a coordinated disclosure. I'm
> > not quite sure how many distros / downstreams actually use this
> > functionality.
>
> I believe so. We have to get these into mainline and propagate them into
> stables first which could take a couple of weeks.
>
> I will defer to Greg KH on this to comment and weigh in.
I've queued them all up and will send them to Linus in a few days.
As for "disclosure", well, you all are talking about this on a public
mailing list, so I think there's really not much else that needs to be
"disclosed" :)
thanks,
greg k-h
next prev parent reply other threads:[~2017-12-08 16:33 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-07 21:16 [PATCH 0/4] USB over IP Secuurity fixes Shuah Khan
2017-12-08 6:25 ` Greg KH
2017-12-08 15:41 ` Shuah Khan
2017-12-08 15:14 ` Secunia Research
2017-12-08 15:44 ` Shuah Khan
2017-12-08 16:33 ` Greg KH [this message]
2017-12-08 16:41 ` Shuah Khan
-- strict thread matches above, loose matches on Subject: below --
2017-12-07 21:16 [1/4] usbip: fix stub_rx: get_pipe() to validate endpoint number Shuah Khan
2017-12-07 21:16 ` [PATCH 1/4] " Shuah Khan
2017-12-07 21:16 [2/4] usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input Shuah Khan
2017-12-07 21:16 ` [PATCH 2/4] " Shuah Khan
2017-12-07 21:16 [3/4] usbip: prevent vhci_hcd driver from leaking a socket pointer address Shuah Khan
2017-12-07 21:16 ` [PATCH 3/4] " Shuah Khan
2017-12-07 21:16 [4/4] usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer Shuah Khan
2017-12-07 21:16 ` [PATCH 4/4] " Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171208163338.GA14570@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=shuah@kernel.org \
--cc=shuahkh@osg.samsung.com \
--cc=valentina.manea.m@gmail.com \
--cc=vuln@secunia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.