From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.kernel.org ([198.145.29.99]:51204 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726549AbeLCP01 (ORCPT <rfc822;stable@vger.kernel.org>);
        Mon, 3 Dec 2018 10:26:27 -0500
Date: Mon, 3 Dec 2018 10:26:02 -0500
From: Sasha Levin <sashal@kernel.org>
To: Ilya Dryomov <idryomov@gmail.com>
Cc: stable-commits@vger.kernel.org, stable@vger.kernel.org,
        ben.hutchings@codethink.co.uk
Subject: Re: Patch "libceph: implement CEPHX_V2 calculation mode" has been
 added to the 4.14-stable tree
Message-ID: <20181203152602.GH235790@sasha-vm>
References: <20181202155105.CA3F220851@mail.kernel.org>
 <CAOi1vP-2X7R4ru+A-pJEhnqnRECnfXkrjV1Z5Wh7L+FOZ3nUww@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <CAOi1vP-2X7R4ru+A-pJEhnqnRECnfXkrjV1Z5Wh7L+FOZ3nUww@mail.gmail.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

+ Ben

On Mon, Dec 03, 2018 at 12:09:25PM +0100, Ilya Dryomov wrote:
>On Sun, Dec 2, 2018 at 4:51 PM Sasha Levin <sashal@kernel.org> wrote:
>>
>> This is a note to let you know that I've just added the patch titled
>>
>>     libceph: implement CEPHX_V2 calculation mode
>>
>> to the 4.14-stable tree which can be found at:
>>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
>>
>> The filename of the patch is:
>>      libceph-implement-cephx_v2-calculation-mode.patch
>> and it can be found in the queue-4.14 subdirectory.
>>
>> If you, or anyone else, feels it should not be added to the stable tree,
>> please let <stable@vger.kernel.org> know about it.
>>
>>
>>
>> commit 14735e0afb6ed378becd0dedf37d1e5ddfa12084
>> Author: Ilya Dryomov <idryomov@gmail.com>
>> Date:   Fri Jul 27 19:25:32 2018 +0200
>>
>>     libceph: implement CEPHX_V2 calculation mode
>>
>>     commit cc255c76c70f7a87d97939621eae04b600d9f4a1 upstream.
>>
>>     Derive the signature from the entire buffer (both AES cipher blocks)
>>     instead of using just the first half of the first block, leaving out
>>     data_crc entirely.
>>
>>     This addresses CVE-2018-1129.
>>
>>     Link: http://tracker.ceph.com/issues/24837
>>     Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
>>     Reviewed-by: Sage Weil <sage@redhat.com>
>>     Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
>>     Signed-off-by: Sasha Levin <sashal@kernel.org>
>
>Hi Sasha,
>
>The CVEs mentioned in this series are server side and CEPHX_V2 is
>probably more of a new feature than a security fix.  That said, I don't
>object to including it in 4.14.z.  If you do, please pick up the
>remaining two patches for interoperability:
>
>f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply()
>130f52f2b203 libceph: check authorizer reply/challenge length before reading

Would I be pulling this patch if it didn't have the string
"CVE-2018-1129" in the commit message?

--
Thanks,
Sasha