[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request? buffer overflow in CIFS in 2.6.*
From:       dann frazier <dannf () debian ! org>
Date:       2009-04-29 5:28:58
Message-ID: 20090429052858.GD11901 () lackof ! org
[Download RAW message or body]

On Tue, Apr 28, 2009 at 08:27:19PM -0500, Steven French wrote:
> Jeff (Layton) was working an additional fix (updating a proposed fix from 
> Suresh J.).  We will review it together tomorrow.

Cool, thanks Steve.

Also, I now notice that CVE-2009-1439 was assigned for
the nativeFileSystem fixes, so looks like the status is:

CVE-2009-1439:
 http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.29.y.git;a=commitdiff;h=15bd8021d870d2c4fbf8c16578d72d03cfddd3a7
  http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commitdiff;h=f083def68f84b04fe3f97312498911afce79609e


CVE-2009-NOT-YET-ASSIGNED:
 http://git.kernel.org/linus/27b87fe52baba0a55e9723030e76fce94fabcea4
 http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=7b0c8fcff47a885743125dd843db64af41af5a61
  http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=968460ebd8006d55661dec0fb86712b40d71c413
  + some others in progress

Does that look accurate?

> 
> 
> Steve French
> Senior Software Engineer
> Linux Technology Center - IBM Austin
> phone: 512-838-2294
> email: sfrench at-sign us dot ibm dot com
> 
> 
> 
> dann frazier <dannf@debian.org> 
> 04/28/2009 08:12 PM
> 
> To
> oss-security@lists.openwall.com
> cc
> security@kernel.org, Steven French/Austin/IBM@IBMUS
> Subject
> Re: [oss-security] CVE request? buffer overflow in CIFS in 2.6.*
> 
> 
> 
> 
> 
> 
> On Sat, Apr 25, 2009 at 05:40:20PM +0800, Eugene Teo wrote:
> > Hi Steve,
> > 
> > > One approach might be to "pre-tag" this whole set of changes with a 
> single
> > > CVE, then when they ultimately get merged into a single kernel version 
> or
> > > some other concrete milestone, the "scope" of that CVE ends.
> > 
> > I'm fine with this approach. It can actually help to make it easier to
> > manage this set of changes.
> 
> To summarize (and make sure I understand), the plan is to create a
> single CVE for a collection of CIFS fixes. So far, this series includes
> the following changesets, but others may be added as well:
> 
> http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.29.y.git;a=commitdiff;h=15bd8021d870d2c4fbf8c16578d72d03cfddd3a7
>  
> http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commitdiff;h=f083def68f84b04fe3f97312498911afce79609e
>  
> http://git.kernel.org/linus/27b87fe52baba0a55e9723030e76fce94fabcea4
> http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=7b0c8fcff47a885743125dd843db64af41af5a61
>  
> http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=968460ebd8006d55661dec0fb86712b40d71c413
>  
> 
> Is that correct? If so, is there an estimate for when this set will be
> deemed complete and a CVE assigned?
> 
> I think that if we wait too long to close this, we'll end up with
> distributions releasing updates with only a subset of these
> fixes, which would make this "collection" somewhat difficult to track
> by CVE ID handle. I'm otherwise quite happy with this plan, fwiw.
> 

-- 
dann frazier


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic