Re: Security fixes for 4.4.x

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@linuxfoundation.org>
To: Moritz Muehlenhoff <moritz@wikimedia.org>
Cc: stable@vger.kernel.org
Subject: Re: Security fixes for 4.4.x
Date: Thu, 2 Jun 2016 09:27:16 -0700	[thread overview]
Message-ID: <20160602162716.GD26699@kroah.com> (raw)
In-Reply-To: <20160602084908.GA29126@korn.westfalen.local>

On Thu, Jun 02, 2016 at 10:49:09AM +0200, Moritz Muehlenhoff wrote:
> Hi,
> I checked for missing security fixes as of 4.4.12. Can you please
> merge the following? (didn't check other stable kernels):
> 
> CVE-2015-7833: [media] usbvision fix overflow of interfaces array
> 588afcc1c0e45358159090d95bf7b246fb67565f
> (second part of that was already merged in 4.4.8)

Are you sure about this one?  I thought there was discussions about if
this was correct or not...

> CVE-2016-2847: pipe: limit the per-user amount of pages allocated in pipes
> 759c01142a5d0f364a462346168a56de28a80f52
> (the patch mentions CVE-2013-4312, but a different CVE ID was assigned later)

Have you tested this?

> CVE-2016-0758: KEYS: Fix ASN.1 indefinite length object parsing
> 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa

Is this a real issue?  If so, can you cc: the patch authors and ask them
if they want this in a stable kernel?

Same goes for all of these patches that are not originally tagged with a
stable mark, I need the acks from the maintainers.

> 
> CVE-2016-4578: ALSA: timer: Fix leak in events via snd_timer_user_ccallback
>                ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
> 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6, e4ec8cc8039a7063e24204299b462bd1383184a5
> 
> CVE-2016-4569: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
> cec8f96e49d9be372fdb0c3836dcf31ec71e457e

There might have been a reason these were not tagged with stable marks,
have you tested to see if they are relevant?

thanks,

greg k-h

next prev parent reply	other threads:[~2016-06-02 16:27 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-02  8:49 Security fixes for 4.4.x Moritz Muehlenhoff
2016-06-02 16:27 ` Greg KH [this message]
2016-06-03 14:09   ` Moritz Muehlenhoff
2016-06-04 19:42     ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160602162716.GD26699@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=moritz@wikimedia.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox