From: "Theodore Ts'o" <tytso@mit.edu>
To: Siddh Raman Pant <siddh.raman.pant@oracle.com>
Cc: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
cve@kernel.org
Subject: Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1
Date: Mon, 6 Jan 2025 13:09:16 -0500 [thread overview]
Message-ID: <20250106180916.GI1284777@mit.edu> (raw)
In-Reply-To: <87a034f185ff5e865bc5d0db8121c39086c4f5c9.camel@oracle.com>
It looks like this CVE hasn't been revoked yet, at least per
nvd.nist.gov? Is that the best way to check kernel CVE's status?
Thanks,
- Ted
On Tue, Dec 10, 2024 at 06:08:46AM +0000, Siddh Raman Pant wrote:
> On Mon, Dec 09 2024 at 21:56:23 +0530, Theodore Ts'o wrote:
> > On Mon, Dec 09, 2024 at 02:08:02PM +0100, gregkh@linuxfoundation.org wrote:
> > > Ok, so should it be revoked?
>
> Yes, as this was an incorrect attempt at fixing CVE-2024-42305.
>
> > We're not aware of a way of triggering the OOB error, so in that sense
> > the CVE is not valid. There might be a way that someone might be able
> > to trigger it in the future; in that hypothetical future, there might
> > be some other fix that would address the root cause, but this would be
> > a belt and suspenders thing that might prevent that (hypothetical)
> > future. So in that sense, it is highly commended that enterprise
> > distros and people who are not following the LTS kernels take this
> > patch. But is it actually fixing a known vulnerability today? Not
> > that we know of.
> >
> > Cheers,
> >
> > - Ted
> >
> > P.S. If some security researcher wants to find such a way, to educate
> > people on why using LTS kernels is superior, they should feel free to
> > consider this a challenge. :-P
>
> I agree.
>
> Thanks,
> Siddh
next prev parent reply other threads:[~2025-01-06 18:09 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-21 18:02 CVE-2024-49967: ext4: no need to continue when the number of entries is 1 Greg Kroah-Hartman
2024-12-09 12:30 ` Siddh Raman Pant
2024-12-09 13:08 ` gregkh
2024-12-09 16:26 ` Theodore Ts'o
2024-12-10 6:08 ` Siddh Raman Pant
2025-01-06 18:09 ` Theodore Ts'o [this message]
2025-01-06 18:14 ` gregkh
2025-01-07 8:47 ` gregkh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250106180916.GI1284777@mit.edu \
--to=tytso@mit.edu \
--cc=cve@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=siddh.raman.pant@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.