From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from bh-25.webhostbox.net ([208.91.199.152]:40213 "EHLO bh-25.webhostbox.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750841AbeERQAJ (ORCPT ); Fri, 18 May 2018 12:00:09 -0400 Date: Fri, 18 May 2018 09:00:07 -0700 From: Guenter Roeck To: Greg Kroah-Hartman Cc: stable Subject: Re: Please apply dd83c161fbcc ("kernel/exit.c: avoid undefined behaviour when calling wait4()") to v4.9.y and older Message-ID: <20180518160007.GA5123@roeck-us.net> References: <7d456b92-3cd8-25f8-83a2-0f0ab5edb7f6@roeck-us.net> <20180518145207.GB3569@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180518145207.GB3569@kroah.com> Sender: stable-owner@vger.kernel.org List-ID: On Fri, May 18, 2018 at 04:52:07PM +0200, Greg Kroah-Hartman wrote: > On Fri, May 18, 2018 at 06:47:46AM -0700, Guenter Roeck wrote: > > Hi Greg, > > > > please apply commit dd83c161fbc ("kernel/exit.c: avoid undefined behaviour when calling wait4()") > > to v4.9.y and older to fix CVE-2018-10087. > > Odd no one asked for that one to be backported before :( > Not entirely surprising. The patch is from July 2017, it wasn't marked for stable, and the CVE has been created only recently (04/13/2018). CVE severity and the reference to the upstream commit were added yesterday, which caused our CVE tracker to barf at me. Guenter