From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm0-f53.google.com ([74.125.82.53]:35803 "EHLO mail-wm0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751629AbcFCOJi (ORCPT ); Fri, 3 Jun 2016 10:09:38 -0400 Received: by mail-wm0-f53.google.com with SMTP id a136so278198126wme.0 for ; Fri, 03 Jun 2016 07:09:37 -0700 (PDT) Date: Fri, 3 Jun 2016 16:09:34 +0200 From: Moritz Muehlenhoff To: Greg KH Cc: stable@vger.kernel.org Subject: Re: Security fixes for 4.4.x Message-ID: <20160603140932.GA8436@korn.westfalen.local> References: <20160602084908.GA29126@korn.westfalen.local> <20160602162716.GD26699@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160602162716.GD26699@kroah.com> Sender: stable-owner@vger.kernel.org List-ID: Hi, On Thu, Jun 02, 2016 at 09:27:16AM -0700, Greg KH wrote: > On Thu, Jun 02, 2016 at 10:49:09AM +0200, Moritz Muehlenhoff wrote: > > Hi, > > I checked for missing security fixes as of 4.4.12. Can you please > > merge the following? (didn't check other stable kernels): > > > > CVE-2015-7833: [media] usbvision fix overflow of interfaces array > > 588afcc1c0e45358159090d95bf7b246fb67565f > > (second part of that was already merged in 4.4.8) > > Are you sure about this one? I thought there was discussions about if > this was correct or not... > > > CVE-2016-2847: pipe: limit the per-user amount of pages allocated in pipes > > 759c01142a5d0f364a462346168a56de28a80f52 > > (the patch mentions CVE-2013-4312, but a different CVE ID was assigned later) > > Have you tested this? 588afcc1c0e45358159090d95bf7b246fb67565f has been cherrypicked into the Debian sid kernel since December and 759c01142a5d0f364a462346168a56de28a80f52 since February without problems. > > CVE-2016-0758: KEYS: Fix ASN.1 indefinite length object parsing > > 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa > > Is this a real issue? If so, can you cc: the patch authors and ask them > if they want this in a stable kernel? Sure, will followup for the other patches in separate mail. Cheers, Moritz