From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:33643 "EHLO
	mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750753AbcFDTmT (ORCPT
	<rfc822;stable@vger.kernel.org>); Sat, 4 Jun 2016 15:42:19 -0400
Date: Sat, 4 Jun 2016 12:42:18 -0700
From: Greg KH <gregkh@linuxfoundation.org>
To: Moritz Muehlenhoff <moritz@wikimedia.org>
Cc: stable@vger.kernel.org
Subject: Re: Security fixes for 4.4.x
Message-ID: <20160604194218.GC9542@kroah.com>
References: <20160602084908.GA29126@korn.westfalen.local>
 <20160602162716.GD26699@kroah.com>
 <20160603140932.GA8436@korn.westfalen.local>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160603140932.GA8436@korn.westfalen.local>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Fri, Jun 03, 2016 at 04:09:34PM +0200, Moritz Muehlenhoff wrote:
> Hi,
> 
> On Thu, Jun 02, 2016 at 09:27:16AM -0700, Greg KH wrote:
> > On Thu, Jun 02, 2016 at 10:49:09AM +0200, Moritz Muehlenhoff wrote:
> > > Hi,
> > > I checked for missing security fixes as of 4.4.12. Can you please
> > > merge the following? (didn't check other stable kernels):
> > > 
> > > CVE-2015-7833: [media] usbvision fix overflow of interfaces array
> > > 588afcc1c0e45358159090d95bf7b246fb67565f
> > > (second part of that was already merged in 4.4.8)
> > 
> > Are you sure about this one?  I thought there was discussions about if
> > this was correct or not...
> > 
> > > CVE-2016-2847: pipe: limit the per-user amount of pages allocated in pipes
> > > 759c01142a5d0f364a462346168a56de28a80f52
> > > (the patch mentions CVE-2013-4312, but a different CVE ID was assigned later)
> > 
> > Have you tested this?
> 
> 588afcc1c0e45358159090d95bf7b246fb67565f has been cherrypicked into the
> Debian sid kernel since December and 759c01142a5d0f364a462346168a56de28a80f52
> since February without problems.

Ok, thanks for letting me know, I've queued these up now.

> > > CVE-2016-0758: KEYS: Fix ASN.1 indefinite length object parsing
> > > 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa
> > 
> > Is this a real issue?  If so, can you cc: the patch authors and ask them
> > if they want this in a stable kernel?
> 
> Sure, will followup for the other patches in separate mail.

Wonderful, thanks for doing this.

greg k-h