* Backport Security Fix for CVE-2018-13095 to v4.14 @ 2018-08-06 3:01 Yuki Machida 2018-08-07 13:17 ` Greg KH 0 siblings, 1 reply; 4+ messages in thread From: Yuki Machida @ 2018-08-06 3:01 UTC (permalink / raw) To: gregkh; +Cc: stable, wen.xu, dchinner, darrick.wong Hi Greg, I conformed that a patch of CVE-2018-13095 not applied at v4.14.60. Could you please apply a patch for 4.14-stable ? CVE-2018-13095 Upstream commit 23fcb3340d033d9f081e21e6c12c2db7eaa541d3 References https://nvd.nist.gov/vuln/detail/CVE-2018-13095 Regards, Yuki Machida ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Backport Security Fix for CVE-2018-13095 to v4.14 2018-08-06 3:01 Backport Security Fix for CVE-2018-13095 to v4.14 Yuki Machida @ 2018-08-07 13:17 ` Greg KH 2018-08-07 16:39 ` Greg KH 0 siblings, 1 reply; 4+ messages in thread From: Greg KH @ 2018-08-07 13:17 UTC (permalink / raw) To: Yuki Machida; +Cc: stable, wen.xu, dchinner, darrick.wong On Mon, Aug 06, 2018 at 12:01:20PM +0900, Yuki Machida wrote: > Hi Greg, > > I conformed that a patch of CVE-2018-13095 not applied at v4.14.60. > Could you please apply a patch for 4.14-stable ? It does not apply cleanly at all, can you please provide a working backport that you have tested? thanks, greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Backport Security Fix for CVE-2018-13095 to v4.14 2018-08-07 13:17 ` Greg KH @ 2018-08-07 16:39 ` Greg KH 2018-08-07 22:43 ` Dave Chinner 0 siblings, 1 reply; 4+ messages in thread From: Greg KH @ 2018-08-07 16:39 UTC (permalink / raw) To: Yuki Machida; +Cc: stable, wen.xu, dchinner, darrick.wong On Tue, Aug 07, 2018 at 03:17:53PM +0200, Greg KH wrote: > On Mon, Aug 06, 2018 at 12:01:20PM +0900, Yuki Machida wrote: > > Hi Greg, > > > > I conformed that a patch of CVE-2018-13095 not applied at v4.14.60. > > Could you please apply a patch for 4.14-stable ? > > It does not apply cleanly at all, can you please provide a working > backport that you have tested? It also breaks the build in 4.17.y, so I've had to drop it there as well. Are you sure this fixes something that you care about? Why are people creating random CVEs for things that no one seems to actually backport? thanks, greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Backport Security Fix for CVE-2018-13095 to v4.14 2018-08-07 16:39 ` Greg KH @ 2018-08-07 22:43 ` Dave Chinner 0 siblings, 0 replies; 4+ messages in thread From: Dave Chinner @ 2018-08-07 22:43 UTC (permalink / raw) To: Greg KH; +Cc: Yuki Machida, stable, wen.xu, darrick.wong On Tue, Aug 07, 2018 at 06:39:41PM +0200, Greg KH wrote: > On Tue, Aug 07, 2018 at 03:17:53PM +0200, Greg KH wrote: > > On Mon, Aug 06, 2018 at 12:01:20PM +0900, Yuki Machida wrote: > > > Hi Greg, > > > > > > I conformed that a patch of CVE-2018-13095 not applied at v4.14.60. > > > Could you please apply a patch for 4.14-stable ? > > > > It does not apply cleanly at all, can you please provide a working > > backport that you have tested? > > It also breaks the build in 4.17.y, so I've had to drop it there as > well. I was going to ask "who tested the backport", but I see that the backport doesn't even get that far. Blind backports of this sort of fix is roughly equivalent to playing russian roulette - there's every chance the additional validation to catch the issue is completely inappropriate for older kernels and will explode on users. > Are you sure this fixes something that you care about? Why are people > creating random CVEs for things that no one seems to actually backport? Glad you said this, Greg, because the recent rash of CVEs raised for filesystem corruption issues has got well and truly out of hand, not just for mainline stable backports. It looks to me like someone thinks that "issue found by fuzzing the on disk format of a filesystem" equates to an exploitable security vulnerability. i.e. they stop thinking at "fuzzing", and they don't think through to the "need root permissions to mount the fuzzed filesystem and trigger the bug". I've ranted a lot about the crappy state of 3rd party filesystem fuzz testing in recent times, but this rash of CVEs really puts the icing on the cake.... Cheers, Dave. -- Dave Chinner dchinner@redhat.com ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-08-08 0:59 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-08-06 3:01 Backport Security Fix for CVE-2018-13095 to v4.14 Yuki Machida 2018-08-07 13:17 ` Greg KH 2018-08-07 16:39 ` Greg KH 2018-08-07 22:43 ` Dave Chinner
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).