From: Dan Carpenter <error27@gmail.com>
To: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
Cc: cip-dev <cip-dev@lists.cip-project.org>,
linux-kernel@vger.kernel.org, lwn@lwn.net, smatch@kernel.org
Subject: Who is looking at CVEs to prevent them?
Date: Tue, 7 Mar 2023 12:51:14 +0300 [thread overview]
Message-ID: <59f7f076-a9d5-4bfb-a6da-bbe0a7567688@kili.mountain> (raw)
In-Reply-To: <CAODzB9qjdhQkZ+tALHpDLHoK7GAf8Uybfzp8mxXt=Dwnn_0RjA@mail.gmail.com>
On Thu, Jan 19, 2023 at 09:14:53AM +0900, Masami Ichikawa wrote:
> CVE-2023-0210: ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in
> ksmbd_decode_ntlmssp_auth_blob
>
> 5.15, 6.0, and 6.1 were fixed.
>
> Fixed status
> mainline: [797805d81baa814f76cf7bdab35f86408a79d707]
> stable/5.15: [e32f867b37da7902685c9a106bef819506aa1a92]
> stable/6.0: [1e7ed525c60d8d51daf2700777071cd0dfb6f807]
> stable/6.1: [5e7d97dbae25ab4cb0ac1b1b98aebc4915689a86]
Sorry, I have kind of hijacked the cip-dev email list... I use these
lists to figure out where we are failing.
I created a static checker warning for this bug. I also wrote a blog
stepping through the process:
https://staticthinking.wordpress.com/2023/03/07/triaging-security-bugs/
If anyone wants to review the warnings, just email me and I can send
them to you. I Cc'd LWN because I was going to post the warnings but I
chickened out because that didn't feel like responsible disclosure. The
instructions for how to find these yourself are kind of right there in
the blog so it's not too hard to generate these results yourself... I
don't really have enough time to review static checker warnings anymore
but I don't know who wants to do that job now.
regards,
dan carpenter
next prev parent reply other threads:[~2023-03-07 12:56 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-19 0:14 New CVE entries this week Masami Ichikawa
2023-03-03 14:08 ` Dan Carpenter
2023-03-07 9:51 ` Dan Carpenter [this message]
[not found] ` <20230307110029.1947-1-hdanton@sina.com>
2023-03-07 11:32 ` Who is looking at CVEs to prevent them? Dan Carpenter
2023-03-07 11:42 ` Vlastimil Babka
2023-03-07 11:53 ` Dan Carpenter
2023-03-08 7:52 ` Vlastimil Babka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59f7f076-a9d5-4bfb-a6da-bbe0a7567688@kili.mountain \
--to=error27@gmail.com \
--cc=cip-dev@lists.cip-project.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lwn@lwn.net \
--cc=masami.ichikawa@miraclelinux.com \
--cc=smatch@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).