From: "Theodore Ts'o" <tytso@mit.edu>
To: Siddh Raman Pant <siddh.raman.pant@oracle.com>
Cc: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
cve@kernel.org
Subject: Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1
Date: Mon, 6 Jan 2025 13:09:16 -0500 [thread overview]
Message-ID: <20250106180916.GI1284777@mit.edu> (raw)
In-Reply-To: <87a034f185ff5e865bc5d0db8121c39086c4f5c9.camel@oracle.com>
It looks like this CVE hasn't been revoked yet, at least per
nvd.nist.gov? Is that the best way to check kernel CVE's status?
Thanks,
- Ted
On Tue, Dec 10, 2024 at 06:08:46AM +0000, Siddh Raman Pant wrote:
> On Mon, Dec 09 2024 at 21:56:23 +0530, Theodore Ts'o wrote:
> > On Mon, Dec 09, 2024 at 02:08:02PM +0100, gregkh@linuxfoundation.org wrote:
> > > Ok, so should it be revoked?
>
> Yes, as this was an incorrect attempt at fixing CVE-2024-42305.
>
> > We're not aware of a way of triggering the OOB error, so in that sense
> > the CVE is not valid. There might be a way that someone might be able
> > to trigger it in the future; in that hypothetical future, there might
> > be some other fix that would address the root cause, but this would be
> > a belt and suspenders thing that might prevent that (hypothetical)
> > future. So in that sense, it is highly commended that enterprise
> > distros and people who are not following the LTS kernels take this
> > patch. But is it actually fixing a known vulnerability today? Not
> > that we know of.
> >
> > Cheers,
> >
> > - Ted
> >
> > P.S. If some security researcher wants to find such a way, to educate
> > people on why using LTS kernels is superior, they should feel free to
> > consider this a challenge. :-P
>
> I agree.
>
> Thanks,
> Siddh
next prev parent reply other threads:[~2025-01-06 18:09 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2024102133-CVE-2024-49967-a58a@gregkh>
2024-12-09 12:30 ` CVE-2024-49967: ext4: no need to continue when the number of entries is 1 Siddh Raman Pant
2024-12-09 13:08 ` gregkh
2024-12-09 16:26 ` Theodore Ts'o
2024-12-10 6:08 ` Siddh Raman Pant
2025-01-06 18:09 ` Theodore Ts'o [this message]
2025-01-06 18:14 ` gregkh
2025-01-07 8:47 ` gregkh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250106180916.GI1284777@mit.edu \
--to=tytso@mit.edu \
--cc=cve@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=siddh.raman.pant@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox