* Re: Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree [not found] <20181202155105.CA3F220851@mail.kernel.org> @ 2018-12-03 11:09 ` Ilya Dryomov 2018-12-03 15:26 ` Sasha Levin 0 siblings, 1 reply; 6+ messages in thread From: Ilya Dryomov @ 2018-12-03 11:09 UTC (permalink / raw) To: sashal; +Cc: stable-commits, stable On Sun, Dec 2, 2018 at 4:51 PM Sasha Levin <sashal@kernel.org> wrote: > > This is a note to let you know that I've just added the patch titled > > libceph: implement CEPHX_V2 calculation mode > > to the 4.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary > > The filename of the patch is: > libceph-implement-cephx_v2-calculation-mode.patch > and it can be found in the queue-4.14 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable@vger.kernel.org> know about it. > > > > commit 14735e0afb6ed378becd0dedf37d1e5ddfa12084 > Author: Ilya Dryomov <idryomov@gmail.com> > Date: Fri Jul 27 19:25:32 2018 +0200 > > libceph: implement CEPHX_V2 calculation mode > > commit cc255c76c70f7a87d97939621eae04b600d9f4a1 upstream. > > Derive the signature from the entire buffer (both AES cipher blocks) > instead of using just the first half of the first block, leaving out > data_crc entirely. > > This addresses CVE-2018-1129. > > Link: http://tracker.ceph.com/issues/24837 > Signed-off-by: Ilya Dryomov <idryomov@gmail.com> > Reviewed-by: Sage Weil <sage@redhat.com> > Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> > Signed-off-by: Sasha Levin <sashal@kernel.org> Hi Sasha, The CVEs mentioned in this series are server side and CEPHX_V2 is probably more of a new feature than a security fix. That said, I don't object to including it in 4.14.z. If you do, please pick up the remaining two patches for interoperability: f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() 130f52f2b203 libceph: check authorizer reply/challenge length before reading Thanks, Ilya ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree 2018-12-03 11:09 ` Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree Ilya Dryomov @ 2018-12-03 15:26 ` Sasha Levin 2018-12-03 15:32 ` Ilya Dryomov 0 siblings, 1 reply; 6+ messages in thread From: Sasha Levin @ 2018-12-03 15:26 UTC (permalink / raw) To: Ilya Dryomov; +Cc: stable-commits, stable, ben.hutchings + Ben On Mon, Dec 03, 2018 at 12:09:25PM +0100, Ilya Dryomov wrote: >On Sun, Dec 2, 2018 at 4:51 PM Sasha Levin <sashal@kernel.org> wrote: >> >> This is a note to let you know that I've just added the patch titled >> >> libceph: implement CEPHX_V2 calculation mode >> >> to the 4.14-stable tree which can be found at: >> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary >> >> The filename of the patch is: >> libceph-implement-cephx_v2-calculation-mode.patch >> and it can be found in the queue-4.14 subdirectory. >> >> If you, or anyone else, feels it should not be added to the stable tree, >> please let <stable@vger.kernel.org> know about it. >> >> >> >> commit 14735e0afb6ed378becd0dedf37d1e5ddfa12084 >> Author: Ilya Dryomov <idryomov@gmail.com> >> Date: Fri Jul 27 19:25:32 2018 +0200 >> >> libceph: implement CEPHX_V2 calculation mode >> >> commit cc255c76c70f7a87d97939621eae04b600d9f4a1 upstream. >> >> Derive the signature from the entire buffer (both AES cipher blocks) >> instead of using just the first half of the first block, leaving out >> data_crc entirely. >> >> This addresses CVE-2018-1129. >> >> Link: http://tracker.ceph.com/issues/24837 >> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> >> Reviewed-by: Sage Weil <sage@redhat.com> >> Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> >> Signed-off-by: Sasha Levin <sashal@kernel.org> > >Hi Sasha, > >The CVEs mentioned in this series are server side and CEPHX_V2 is >probably more of a new feature than a security fix. That said, I don't >object to including it in 4.14.z. If you do, please pick up the >remaining two patches for interoperability: > >f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() >130f52f2b203 libceph: check authorizer reply/challenge length before reading Would I be pulling this patch if it didn't have the string "CVE-2018-1129" in the commit message? -- Thanks, Sasha ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree 2018-12-03 15:26 ` Sasha Levin @ 2018-12-03 15:32 ` Ilya Dryomov 2018-12-03 16:16 ` Sasha Levin 0 siblings, 1 reply; 6+ messages in thread From: Ilya Dryomov @ 2018-12-03 15:32 UTC (permalink / raw) To: sashal; +Cc: stable-commits, stable, ben.hutchings On Mon, Dec 3, 2018 at 4:26 PM Sasha Levin <sashal@kernel.org> wrote: > > + Ben > > On Mon, Dec 03, 2018 at 12:09:25PM +0100, Ilya Dryomov wrote: > >On Sun, Dec 2, 2018 at 4:51 PM Sasha Levin <sashal@kernel.org> wrote: > >> > >> This is a note to let you know that I've just added the patch titled > >> > >> libceph: implement CEPHX_V2 calculation mode > >> > >> to the 4.14-stable tree which can be found at: > >> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary > >> > >> The filename of the patch is: > >> libceph-implement-cephx_v2-calculation-mode.patch > >> and it can be found in the queue-4.14 subdirectory. > >> > >> If you, or anyone else, feels it should not be added to the stable tree, > >> please let <stable@vger.kernel.org> know about it. > >> > >> > >> > >> commit 14735e0afb6ed378becd0dedf37d1e5ddfa12084 > >> Author: Ilya Dryomov <idryomov@gmail.com> > >> Date: Fri Jul 27 19:25:32 2018 +0200 > >> > >> libceph: implement CEPHX_V2 calculation mode > >> > >> commit cc255c76c70f7a87d97939621eae04b600d9f4a1 upstream. > >> > >> Derive the signature from the entire buffer (both AES cipher blocks) > >> instead of using just the first half of the first block, leaving out > >> data_crc entirely. > >> > >> This addresses CVE-2018-1129. > >> > >> Link: http://tracker.ceph.com/issues/24837 > >> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> > >> Reviewed-by: Sage Weil <sage@redhat.com> > >> Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> > >> Signed-off-by: Sasha Levin <sashal@kernel.org> > > > >Hi Sasha, > > > >The CVEs mentioned in this series are server side and CEPHX_V2 is > >probably more of a new feature than a security fix. That said, I don't > >object to including it in 4.14.z. If you do, please pick up the > >remaining two patches for interoperability: > > > >f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() > >130f52f2b203 libceph: check authorizer reply/challenge length before reading > > Would I be pulling this patch if it didn't have the string > "CVE-2018-1129" in the commit message? Well, I didn't mark this series for stable, so probably not. Thanks, Ilya ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree 2018-12-03 15:32 ` Ilya Dryomov @ 2018-12-03 16:16 ` Sasha Levin 2018-12-05 22:25 ` Ben Hutchings 0 siblings, 1 reply; 6+ messages in thread From: Sasha Levin @ 2018-12-03 16:16 UTC (permalink / raw) To: Ilya Dryomov; +Cc: stable-commits, stable, ben.hutchings On Mon, Dec 03, 2018 at 04:32:18PM +0100, Ilya Dryomov wrote: >On Mon, Dec 3, 2018 at 4:26 PM Sasha Levin <sashal@kernel.org> wrote: >> >> + Ben >> >> On Mon, Dec 03, 2018 at 12:09:25PM +0100, Ilya Dryomov wrote: >> >On Sun, Dec 2, 2018 at 4:51 PM Sasha Levin <sashal@kernel.org> wrote: >> >> >> >> This is a note to let you know that I've just added the patch titled >> >> >> >> libceph: implement CEPHX_V2 calculation mode >> >> >> >> to the 4.14-stable tree which can be found at: >> >> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary >> >> >> >> The filename of the patch is: >> >> libceph-implement-cephx_v2-calculation-mode.patch >> >> and it can be found in the queue-4.14 subdirectory. >> >> >> >> If you, or anyone else, feels it should not be added to the stable tree, >> >> please let <stable@vger.kernel.org> know about it. >> >> >> >> >> >> >> >> commit 14735e0afb6ed378becd0dedf37d1e5ddfa12084 >> >> Author: Ilya Dryomov <idryomov@gmail.com> >> >> Date: Fri Jul 27 19:25:32 2018 +0200 >> >> >> >> libceph: implement CEPHX_V2 calculation mode >> >> >> >> commit cc255c76c70f7a87d97939621eae04b600d9f4a1 upstream. >> >> >> >> Derive the signature from the entire buffer (both AES cipher blocks) >> >> instead of using just the first half of the first block, leaving out >> >> data_crc entirely. >> >> >> >> This addresses CVE-2018-1129. >> >> >> >> Link: http://tracker.ceph.com/issues/24837 >> >> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> >> >> Reviewed-by: Sage Weil <sage@redhat.com> >> >> Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> >> >> Signed-off-by: Sasha Levin <sashal@kernel.org> >> > >> >Hi Sasha, >> > >> >The CVEs mentioned in this series are server side and CEPHX_V2 is >> >probably more of a new feature than a security fix. That said, I don't >> >object to including it in 4.14.z. If you do, please pick up the >> >remaining two patches for interoperability: >> > >> >f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() >> >130f52f2b203 libceph: check authorizer reply/challenge length before reading >> >> Would I be pulling this patch if it didn't have the string >> "CVE-2018-1129" in the commit message? > >Well, I didn't mark this series for stable, so probably not. Alrighty, thanks. Ben, any objections to dropping this patch? -- Thanks, Sasha ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree 2018-12-03 16:16 ` Sasha Levin @ 2018-12-05 22:25 ` Ben Hutchings 2018-12-06 5:45 ` Greg KH 0 siblings, 1 reply; 6+ messages in thread From: Ben Hutchings @ 2018-12-05 22:25 UTC (permalink / raw) To: Sasha Levin, Ilya Dryomov; +Cc: stable-commits, stable On Mon, 2018-12-03 at 11:16 -0500, Sasha Levin wrote: > On Mon, Dec 03, 2018 at 04:32:18PM +0100, Ilya Dryomov wrote: > > On Mon, Dec 3, 2018 at 4:26 PM Sasha Levin <sashal@kernel.org> wrote: > > > > > > + Ben > > > > > > On Mon, Dec 03, 2018 at 12:09:25PM +0100, Ilya Dryomov wrote: [...] > > > > The CVEs mentioned in this series are server side and CEPHX_V2 is > > > > probably more of a new feature than a security fix. That said, I don't > > > > object to including it in 4.14.z. If you do, please pick up the > > > > remaining two patches for interoperability: > > > > > > > > f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() > > > > 130f52f2b203 libceph: check authorizer reply/challenge length before reading > > > > > > Would I be pulling this patch if it didn't have the string > > > "CVE-2018-1129" in the commit message? > > > > Well, I didn't mark this series for stable, so probably not. > > Alrighty, thanks. > > Ben, any objections to dropping this patch? My understanding is that while the security impact is on the server side, an unpatched client won't be able to authenticate to a patched server. Assuming that is correct, this change seems to fit the stable rules. Ben. -- Ben Hutchings, Software Developer Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree 2018-12-05 22:25 ` Ben Hutchings @ 2018-12-06 5:45 ` Greg KH 0 siblings, 0 replies; 6+ messages in thread From: Greg KH @ 2018-12-06 5:45 UTC (permalink / raw) To: Ben Hutchings; +Cc: Sasha Levin, Ilya Dryomov, stable-commits, stable On Wed, Dec 05, 2018 at 10:25:17PM +0000, Ben Hutchings wrote: > On Mon, 2018-12-03 at 11:16 -0500, Sasha Levin wrote: > > On Mon, Dec 03, 2018 at 04:32:18PM +0100, Ilya Dryomov wrote: > > > On Mon, Dec 3, 2018 at 4:26 PM Sasha Levin <sashal@kernel.org> wrote: > > > > > > > > + Ben > > > > > > > > On Mon, Dec 03, 2018 at 12:09:25PM +0100, Ilya Dryomov wrote: > [...] > > > > > The CVEs mentioned in this series are server side and CEPHX_V2 is > > > > > probably more of a new feature than a security fix.��That said, I don't > > > > > object to including it in 4.14.z.��If you do, please pick up the > > > > > remaining two patches for interoperability: > > > > > > > > > > f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() > > > > > 130f52f2b203 libceph: check authorizer reply/challenge length before reading > > > > > > > > Would I be pulling this patch if it didn't have the string > > > > "CVE-2018-1129" in the commit message? > > > > > > Well, I didn't mark this series for stable, so probably not. > > > > Alrighty, thanks. > > > > Ben, any objections to dropping this patch? > > My understanding is that while the security impact is on the server > side, an unpatched client won't be able to authenticate to a patched > server. Assuming that is correct, this change seems to fit the stable > rules. I kept them in the tree, and added the additional ones, thanks! greg k-h ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-12-06 5:45 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20181202155105.CA3F220851@mail.kernel.org>
2018-12-03 11:09 ` Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree Ilya Dryomov
2018-12-03 15:26 ` Sasha Levin
2018-12-03 15:32 ` Ilya Dryomov
2018-12-03 16:16 ` Sasha Levin
2018-12-05 22:25 ` Ben Hutchings
2018-12-06 5:45 ` Greg KH
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox