[Ksummit-2013-discuss] Topic Proposal: Handling Security Issues in the kernel
Dan Carpenter
dan.carpenter at oracle.com
Sat Aug 17 16:13:11 UTC 2013
On Thu, Aug 15, 2013 at 09:30:40PM +1000, James Morris wrote:
> How well is our process working for security triage? Have we had
> maintainers miss security implications of bugfixes they've applied?
I went through some of my patches to see if there are any which
possibly could have been applied to 3.4.58 but aren't.
e9a4aa3ba3 NFC: llcp: integer underflow in nfc_llcp_set_remote_gb()
cb4b102f0a tipc: add a bounds check in link_recv_changeover_msg()
f674e72ff1 net/key/af_key.c: add range checks on ->sadb_x_policy_len
bd5fe738e3 ALSA: ak4xx-adda: info leak in ak4xxx_capture_source_info()
0439f31c35 NFSv4.1: integer overflow in decode_cb_sequence_args()
I think it's mostly DoS bugs. The ALSA one is a pretty bad info
leak but I don't think the hardware is very common. And, of course,
if your NFS admins are malicious, then you have worse things to
worry about.
I probably should have been more involved myself in making pushing
these to -stable.
To be honest, I worry a lot about pissing people off with a lot of
newbie questions all the time. Especially with this email then
there is no way to win. If all five bugs are false positives then
I've wasted people's time and I feel stupid or if they're real bugs
then I should have said something earlier. Ah well.
regards,
dan carpenter
More information about the Ksummit-2013-discuss
mailing list