On Thu, Nov 03, 2022 at 04:22:58PM +0100, Marek Vasut wrote:
> On 11/3/22 05:07, Venkatesh Yadav Abbarapu wrote:
> > DFU implementation does not bound the length field in USB
> > DFU download setup packets, and it does not verify that
> > the transfer direction. Fixing the length and transfer
> > direction.
> > 
> > CVE-2022-2347
> 
> +CC Tom
> 
> Reading through https://seclists.org/oss-sec/2022/q3/41 the disclosure
> timeline at the end, I am really sad that this only reached me (as the USB
> maintainer) now in this form.
> 
> Maybe there should be some dedicated advertised ML for these things ?

A doc/develop/security.rst would be good to have in hopes of getting the
initial inquiries out correctly (I see this one went to several wrong
places). My strong preference is to disclose things in public first as
it's unlikely malicious actors don't already know about an issue. I
don't want a list for the cases where that's not possible for other
reasons, but I'm fine with (continuing) to be the primary point of
contact for issues.

> > Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>
> 
> Reviewed-by: Marek Vasut <marex@denx.de>
> 
> Tom, please pick this directly soon.

I see some other USB patches outstanding as well atm, I can grab this
all the same but do you want to make a USB PR with this and a few
others?

-- 
Tom