* Re: Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree
[not found] <20181202155105.CA3F220851@mail.kernel.org>
@ 2018-12-03 11:09 ` Ilya Dryomov
2018-12-03 15:26 ` Sasha Levin
0 siblings, 1 reply; 6+ messages in thread
From: Ilya Dryomov @ 2018-12-03 11:09 UTC (permalink / raw)
To: sashal; +Cc: stable-commits, stable
On Sun, Dec 2, 2018 at 4:51 PM Sasha Levin <sashal@kernel.org> wrote:
>
> This is a note to let you know that I've just added the patch titled
>
> libceph: implement CEPHX_V2 calculation mode
>
> to the 4.14-stable tree which can be found at:
> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
>
> The filename of the patch is:
> libceph-implement-cephx_v2-calculation-mode.patch
> and it can be found in the queue-4.14 subdirectory.
>
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
>
>
>
> commit 14735e0afb6ed378becd0dedf37d1e5ddfa12084
> Author: Ilya Dryomov <idryomov@gmail.com>
> Date: Fri Jul 27 19:25:32 2018 +0200
>
> libceph: implement CEPHX_V2 calculation mode
>
> commit cc255c76c70f7a87d97939621eae04b600d9f4a1 upstream.
>
> Derive the signature from the entire buffer (both AES cipher blocks)
> instead of using just the first half of the first block, leaving out
> data_crc entirely.
>
> This addresses CVE-2018-1129.
>
> Link: http://tracker.ceph.com/issues/24837
> Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
> Reviewed-by: Sage Weil <sage@redhat.com>
> Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
Hi Sasha,
The CVEs mentioned in this series are server side and CEPHX_V2 is
probably more of a new feature than a security fix. That said, I don't
object to including it in 4.14.z. If you do, please pick up the
remaining two patches for interoperability:
f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply()
130f52f2b203 libceph: check authorizer reply/challenge length before reading
Thanks,
Ilya
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree
2018-12-03 11:09 ` Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree Ilya Dryomov
@ 2018-12-03 15:26 ` Sasha Levin
2018-12-03 15:32 ` Ilya Dryomov
0 siblings, 1 reply; 6+ messages in thread
From: Sasha Levin @ 2018-12-03 15:26 UTC (permalink / raw)
To: Ilya Dryomov; +Cc: stable-commits, stable, ben.hutchings
+ Ben
On Mon, Dec 03, 2018 at 12:09:25PM +0100, Ilya Dryomov wrote:
>On Sun, Dec 2, 2018 at 4:51 PM Sasha Levin <sashal@kernel.org> wrote:
>>
>> This is a note to let you know that I've just added the patch titled
>>
>> libceph: implement CEPHX_V2 calculation mode
>>
>> to the 4.14-stable tree which can be found at:
>> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
>>
>> The filename of the patch is:
>> libceph-implement-cephx_v2-calculation-mode.patch
>> and it can be found in the queue-4.14 subdirectory.
>>
>> If you, or anyone else, feels it should not be added to the stable tree,
>> please let <stable@vger.kernel.org> know about it.
>>
>>
>>
>> commit 14735e0afb6ed378becd0dedf37d1e5ddfa12084
>> Author: Ilya Dryomov <idryomov@gmail.com>
>> Date: Fri Jul 27 19:25:32 2018 +0200
>>
>> libceph: implement CEPHX_V2 calculation mode
>>
>> commit cc255c76c70f7a87d97939621eae04b600d9f4a1 upstream.
>>
>> Derive the signature from the entire buffer (both AES cipher blocks)
>> instead of using just the first half of the first block, leaving out
>> data_crc entirely.
>>
>> This addresses CVE-2018-1129.
>>
>> Link: http://tracker.ceph.com/issues/24837
>> Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
>> Reviewed-by: Sage Weil <sage@redhat.com>
>> Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>
>Hi Sasha,
>
>The CVEs mentioned in this series are server side and CEPHX_V2 is
>probably more of a new feature than a security fix. That said, I don't
>object to including it in 4.14.z. If you do, please pick up the
>remaining two patches for interoperability:
>
>f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply()
>130f52f2b203 libceph: check authorizer reply/challenge length before reading
Would I be pulling this patch if it didn't have the string
"CVE-2018-1129" in the commit message?
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree
2018-12-03 15:26 ` Sasha Levin
@ 2018-12-03 15:32 ` Ilya Dryomov
2018-12-03 16:16 ` Sasha Levin
0 siblings, 1 reply; 6+ messages in thread
From: Ilya Dryomov @ 2018-12-03 15:32 UTC (permalink / raw)
To: sashal; +Cc: stable-commits, stable, ben.hutchings
On Mon, Dec 3, 2018 at 4:26 PM Sasha Levin <sashal@kernel.org> wrote:
>
> + Ben
>
> On Mon, Dec 03, 2018 at 12:09:25PM +0100, Ilya Dryomov wrote:
> >On Sun, Dec 2, 2018 at 4:51 PM Sasha Levin <sashal@kernel.org> wrote:
> >>
> >> This is a note to let you know that I've just added the patch titled
> >>
> >> libceph: implement CEPHX_V2 calculation mode
> >>
> >> to the 4.14-stable tree which can be found at:
> >> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> >>
> >> The filename of the patch is:
> >> libceph-implement-cephx_v2-calculation-mode.patch
> >> and it can be found in the queue-4.14 subdirectory.
> >>
> >> If you, or anyone else, feels it should not be added to the stable tree,
> >> please let <stable@vger.kernel.org> know about it.
> >>
> >>
> >>
> >> commit 14735e0afb6ed378becd0dedf37d1e5ddfa12084
> >> Author: Ilya Dryomov <idryomov@gmail.com>
> >> Date: Fri Jul 27 19:25:32 2018 +0200
> >>
> >> libceph: implement CEPHX_V2 calculation mode
> >>
> >> commit cc255c76c70f7a87d97939621eae04b600d9f4a1 upstream.
> >>
> >> Derive the signature from the entire buffer (both AES cipher blocks)
> >> instead of using just the first half of the first block, leaving out
> >> data_crc entirely.
> >>
> >> This addresses CVE-2018-1129.
> >>
> >> Link: http://tracker.ceph.com/issues/24837
> >> Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
> >> Reviewed-by: Sage Weil <sage@redhat.com>
> >> Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
> >> Signed-off-by: Sasha Levin <sashal@kernel.org>
> >
> >Hi Sasha,
> >
> >The CVEs mentioned in this series are server side and CEPHX_V2 is
> >probably more of a new feature than a security fix. That said, I don't
> >object to including it in 4.14.z. If you do, please pick up the
> >remaining two patches for interoperability:
> >
> >f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply()
> >130f52f2b203 libceph: check authorizer reply/challenge length before reading
>
> Would I be pulling this patch if it didn't have the string
> "CVE-2018-1129" in the commit message?
Well, I didn't mark this series for stable, so probably not.
Thanks,
Ilya
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree
2018-12-03 15:32 ` Ilya Dryomov
@ 2018-12-03 16:16 ` Sasha Levin
2018-12-05 22:25 ` Ben Hutchings
0 siblings, 1 reply; 6+ messages in thread
From: Sasha Levin @ 2018-12-03 16:16 UTC (permalink / raw)
To: Ilya Dryomov; +Cc: stable-commits, stable, ben.hutchings
On Mon, Dec 03, 2018 at 04:32:18PM +0100, Ilya Dryomov wrote:
>On Mon, Dec 3, 2018 at 4:26 PM Sasha Levin <sashal@kernel.org> wrote:
>>
>> + Ben
>>
>> On Mon, Dec 03, 2018 at 12:09:25PM +0100, Ilya Dryomov wrote:
>> >On Sun, Dec 2, 2018 at 4:51 PM Sasha Levin <sashal@kernel.org> wrote:
>> >>
>> >> This is a note to let you know that I've just added the patch titled
>> >>
>> >> libceph: implement CEPHX_V2 calculation mode
>> >>
>> >> to the 4.14-stable tree which can be found at:
>> >> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
>> >>
>> >> The filename of the patch is:
>> >> libceph-implement-cephx_v2-calculation-mode.patch
>> >> and it can be found in the queue-4.14 subdirectory.
>> >>
>> >> If you, or anyone else, feels it should not be added to the stable tree,
>> >> please let <stable@vger.kernel.org> know about it.
>> >>
>> >>
>> >>
>> >> commit 14735e0afb6ed378becd0dedf37d1e5ddfa12084
>> >> Author: Ilya Dryomov <idryomov@gmail.com>
>> >> Date: Fri Jul 27 19:25:32 2018 +0200
>> >>
>> >> libceph: implement CEPHX_V2 calculation mode
>> >>
>> >> commit cc255c76c70f7a87d97939621eae04b600d9f4a1 upstream.
>> >>
>> >> Derive the signature from the entire buffer (both AES cipher blocks)
>> >> instead of using just the first half of the first block, leaving out
>> >> data_crc entirely.
>> >>
>> >> This addresses CVE-2018-1129.
>> >>
>> >> Link: http://tracker.ceph.com/issues/24837
>> >> Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
>> >> Reviewed-by: Sage Weil <sage@redhat.com>
>> >> Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
>> >> Signed-off-by: Sasha Levin <sashal@kernel.org>
>> >
>> >Hi Sasha,
>> >
>> >The CVEs mentioned in this series are server side and CEPHX_V2 is
>> >probably more of a new feature than a security fix. That said, I don't
>> >object to including it in 4.14.z. If you do, please pick up the
>> >remaining two patches for interoperability:
>> >
>> >f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply()
>> >130f52f2b203 libceph: check authorizer reply/challenge length before reading
>>
>> Would I be pulling this patch if it didn't have the string
>> "CVE-2018-1129" in the commit message?
>
>Well, I didn't mark this series for stable, so probably not.
Alrighty, thanks.
Ben, any objections to dropping this patch?
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree
2018-12-03 16:16 ` Sasha Levin
@ 2018-12-05 22:25 ` Ben Hutchings
2018-12-06 5:45 ` Greg KH
0 siblings, 1 reply; 6+ messages in thread
From: Ben Hutchings @ 2018-12-05 22:25 UTC (permalink / raw)
To: Sasha Levin, Ilya Dryomov; +Cc: stable-commits, stable
On Mon, 2018-12-03 at 11:16 -0500, Sasha Levin wrote:
> On Mon, Dec 03, 2018 at 04:32:18PM +0100, Ilya Dryomov wrote:
> > On Mon, Dec 3, 2018 at 4:26 PM Sasha Levin <sashal@kernel.org> wrote:
> > >
> > > + Ben
> > >
> > > On Mon, Dec 03, 2018 at 12:09:25PM +0100, Ilya Dryomov wrote:
[...]
> > > > The CVEs mentioned in this series are server side and CEPHX_V2 is
> > > > probably more of a new feature than a security fix. That said, I don't
> > > > object to including it in 4.14.z. If you do, please pick up the
> > > > remaining two patches for interoperability:
> > > >
> > > > f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply()
> > > > 130f52f2b203 libceph: check authorizer reply/challenge length before reading
> > >
> > > Would I be pulling this patch if it didn't have the string
> > > "CVE-2018-1129" in the commit message?
> >
> > Well, I didn't mark this series for stable, so probably not.
>
> Alrighty, thanks.
>
> Ben, any objections to dropping this patch?
My understanding is that while the security impact is on the server
side, an unpatched client won't be able to authenticate to a patched
server. Assuming that is correct, this change seems to fit the stable
rules.
Ben.
--
Ben Hutchings, Software Developer Codethink Ltd
https://www.codethink.co.uk/ Dale House, 35 Dale Street
Manchester, M1 2HF, United Kingdom
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree
2018-12-05 22:25 ` Ben Hutchings
@ 2018-12-06 5:45 ` Greg KH
0 siblings, 0 replies; 6+ messages in thread
From: Greg KH @ 2018-12-06 5:45 UTC (permalink / raw)
To: Ben Hutchings; +Cc: Sasha Levin, Ilya Dryomov, stable-commits, stable
On Wed, Dec 05, 2018 at 10:25:17PM +0000, Ben Hutchings wrote:
> On Mon, 2018-12-03 at 11:16 -0500, Sasha Levin wrote:
> > On Mon, Dec 03, 2018 at 04:32:18PM +0100, Ilya Dryomov wrote:
> > > On Mon, Dec 3, 2018 at 4:26 PM Sasha Levin <sashal@kernel.org> wrote:
> > > >
> > > > + Ben
> > > >
> > > > On Mon, Dec 03, 2018 at 12:09:25PM +0100, Ilya Dryomov wrote:
> [...]
> > > > > The CVEs mentioned in this series are server side and CEPHX_V2 is
> > > > > probably more of a new feature than a security fix.��That said, I don't
> > > > > object to including it in 4.14.z.��If you do, please pick up the
> > > > > remaining two patches for interoperability:
> > > > >
> > > > > f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply()
> > > > > 130f52f2b203 libceph: check authorizer reply/challenge length before reading
> > > >
> > > > Would I be pulling this patch if it didn't have the string
> > > > "CVE-2018-1129" in the commit message?
> > >
> > > Well, I didn't mark this series for stable, so probably not.
> >
> > Alrighty, thanks.
> >
> > Ben, any objections to dropping this patch?
>
> My understanding is that while the security impact is on the server
> side, an unpatched client won't be able to authenticate to a patched
> server. Assuming that is correct, this change seems to fit the stable
> rules.
I kept them in the tree, and added the additional ones, thanks!
greg k-h
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-12-06 5:45 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20181202155105.CA3F220851@mail.kernel.org>
2018-12-03 11:09 ` Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree Ilya Dryomov
2018-12-03 15:26 ` Sasha Levin
2018-12-03 15:32 ` Ilya Dryomov
2018-12-03 16:16 ` Sasha Levin
2018-12-05 22:25 ` Ben Hutchings
2018-12-06 5:45 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox