From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.kernel.org ([198.145.29.99]:48432 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727157AbeLQU56 (ORCPT ); Mon, 17 Dec 2018 15:57:58 -0500 Date: Mon, 17 Dec 2018 15:57:56 -0500 From: Sasha Levin To: Loic Cc: Greg KH , debian-kernel@lists.debian.org, carnil@debian.org, ben@decadent.org.uk, Steven Rostedt , stable@vger.kernel.org, ameyt@codeaurora.org, amit.pundir@linaro.org Subject: Re: [PATCH] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() Message-ID: <20181217205756.GT2746@sasha-vm> References: <20181215182537.e0f95a3bb791e4f68f23eac8@opensec.fr> <20181216085233.GC29097@kroah.com> <20181216142702.09ed540b@vmware.local.home> <44d50224c2b4fbe8b814da24a53f67c0@opensec.fr> <20181217081940.GA16452@kroah.com> <6af2b12206e8a640a0a30f78d4414b56@opensec.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <6af2b12206e8a640a0a30f78d4414b56@opensec.fr> Sender: stable-owner@vger.kernel.org List-ID: On Mon, Dec 17, 2018 at 08:42:38PM +0100, Loic wrote: >Le 2018-12-17 09:19, Greg KH a �crit�: >>On Sun, Dec 16, 2018 at 09:08:20PM +0100, Loic wrote: >>>Le 2018-12-16 20:27, Steven Rostedt a �crit�: >>>> On Sun, 16 Dec 2018 09:52:33 +0100 >>>> Greg KH wrote: >>>> >>>> > On Sat, Dec 15, 2018 at 06:25:37PM +0100, Loic wrote: >>>> > > Hello, >>>> > > >>>> > > Please picked up this patch for linux 4.4 and 4.9. >>>> > > This fixes CVE-2017-0605 (Rejected?). Tested in Debian ;) >>>> > >>>> > It was rejected as a CVE for a good reason, and that reason is also >>>> > why >>>> > I refused to add it to the stable kernel releases. In short, this is >>>> > not an issue or bug at all, there is nothing wrong with the existing >>>> > code. >>>> > >>>> >>>> I'm starting to regret that I ever accepted the original patch :-( >>>> >>>> -- Steve >>> >>>Okay, I hadn't looked at the previous conversations because this >>>change is >>>in the upstream and in debian... >> >>Upstream is fine, it's a valid change so that people don't keep sending >>the crazy patch over and over. >> >>Debian is just cargo-culting the thing and should probably drop it >>as it >>keeps coming back to me every 3 months or so, and I have to reject it >>again :( >> >>thanks, >> >>greg k-h > >Why didn't you follow the upstream or add a comment "no change for >fake CVE-2017-0605" to break the debian patch ? This change is fine upstream, it doesn't even mention that CVE. It just doesn't actually fix anything, so it doesn't belong in stable (nor is it tagged for stable). -- Thanks, Sasha