Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20150320232512.B11316DC005@smtpvmsrv1.mitre.org>
Date: Fri, 20 Mar 2015 19:25:12 -0400 (EDT)
From: cve-assign@...re.org
To: quentin.casasnovas@...cle.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, jamie.iles@...cle.com, mr.a.xavier@...il.com
Subject: Re: CVE Request: Linux kernel unprivileged denial-of-service due to mis-protected xsave/xrstor instructions.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> a flaw in the way the xsave/xrstor (and their alternative
> instructions) were being protected against a fault in kernel space

We believe that this report can have at least one CVE ID for a fixed
issue.

Does anyone have a preference for two CVE IDs divided in this way:

  - one CVE ID for the
    https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=f31a9f7c71691569359fa7fb8b0acaa44bce0324
    change that was introduced in 3.17. Our incomplete understanding
    from http://openwall.com/lists/oss-security/2015/03/18/6 is that
    this change had security-relevant value even though it was later
    determined to be mis-protecting.

  - a second CVE id for the
    https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=06c8173eb92bbfc03a0fe8bb64315857d0badd06
    change

? Otherwise, we will assign only the latter.

https://lkml.org/lkml/2015/3/17/462 is about "This is to prevent
future misuses of the __ex_table entry like there was for
xsaves/xrstors." Typically, code improvements for "prevent future
misuses" purposes would not lead to additional CVE IDs.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVDKtrAAoJEKllVAevmvmspVsH/0nSGMudMjV5OyQSm8Ascnk1
CxANkao5I6XjH2CKu1tyZHLHnlEnZ3nwIQf94znq77BOrqTs4kv4MRLfgsz01vWI
nl6ZnoxFM5gV4bgvhLHJWuv5x9wsZbEl0jpPRg9NflUa4EDqyEDUZbjZZf+Rw1bc
R54CyBbfGXf7tbkPX3jcM6dGqXnaCfDyPnJiElDIUpHtBEZnm8fwdvhYHOBqWROn
tMeLnORGQIiPM7GxnsMCTL5a4nsRtbXeLSmIDVlU7wEB60oxB/ZCpzg9CSHPBYEk
szx2EjCRklpMHbFLEvWO3ozI47aiy5iXkUUFSOSmJR4mVvOg+bJdUpt0dr15GL8=
=/+Zb
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.