All of lore.kernel.org
 help / color / mirror / Atom feed
* Fix for CVE-2018-1120 in 4.4
@ 2018-12-13 20:24 Ben Hutchings
  2018-12-13 20:39 ` Greg Kroah-Hartman
  0 siblings, 1 reply; 2+ messages in thread
From: Ben Hutchings @ 2018-12-13 20:24 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Sasha Levin
  Cc: stable, Lorenzo Stoakes, Linus Torvalds, Willy Tarreau

[-- Attachment #1: Type: text/plain, Size: 889 bytes --]

I've backported changes to fix CVE-2018-1120 (denial of service via
FUSE-backed /proc/PID/cmdline) in 4.4-stable.  See
<https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt>
for an explanation of the issue.

This was already fixed in newer stable branches, but the fix depended
on API changes made in 4.9.  The API changes are fairly straightforward
and should be low risk, so the attached patches include those API
changes.

I verified that the proof-of-concept no longer works after these
changes, and that there were no regressions in the user-copy and vm
self-tests.  I leave it to you to decide whether it's worthwhile to fix
this in 4.4.

Ben.

-- 
Ben Hutchings, Software Developer                         Codethink Ltd
https://www.codethink.co.uk/                 Dale House, 35 Dale Street
                                     Manchester, M1 2HF, United Kingdom

[-- Attachment #2: security-4.4-CVE-2018-1120.mbox --]
[-- Type: application/mbox, Size: 68200 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-12-13 20:39 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-12-13 20:24 Fix for CVE-2018-1120 in 4.4 Ben Hutchings
2018-12-13 20:39 ` Greg Kroah-Hartman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.