Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAA=iMUKJ2gz4iAWTSGqmi4Smai+PH7GEG6zaYzFvDSiLyRZE+w@mail.gmail.com>
Date: Sun, 6 Nov 2016 21:50:35 +0200
From: Eyal Itkin <eyal.itkin@...il.com>
To: secalert@...hat.com
Cc: oss-security@...ts.openwall.com
Subject: Re: [engineering.redhat.com #426293] CVE Request - firewire driver
 RCE - linux 4.8

Hello,

The security patch was deployed yesterday in the official git repository of
linux, after the fix was reviewed and approved by me.
Therefore, CVE 2016-8633 can now be publicly disclosed.

Commit id of the fix:
    667121ace9dbafb368618dbabcf07901c962ddac
    https://git.kernel.org/linus/667121ace9db

Commit id of the mainline merge:
    03daa36f089f31002a2d0fb22088d3ebe3e28d98
    https://git.kernel.org/linus/03daa36f089f

Public disclosure details in my security blog:
    https://eyalitkin.wordpress.com/2016/11/06/cve-
publication-cve-2016-8633/

P.S. I CCed oss-security since in a second CVE (not public yet) I was told
by your colleague to send the publication request to oss-security.

Thanks for your help,
Eyal Itkin.

On Thu, Nov 3, 2016 at 1:03 PM, Red Hat Product Security <
secalert@...hat.com> wrote:

> On Wed Nov 02 22:41:25 2016, eyal.itkin@...il.com wrote:
> > Hello,
> >
> > In a short security audit i made to the firewire driver in the linux
> > kernel, version 4.8, I found severe security vulnerabilities.
> >
> > After contacting security@...nel.org, the driver's contributors have
> > confirmed my findings and have written a patch that fixes the
> > vulnerability:
> >
> > http://git.kernel.org/cgit/linux/kernel/git/ieee1394/
> > linux1394.git/commit/?h=testing&id=ff89027279ec57d69797cbae7c6816
> 72f1dbea71
> >
> > [...]
>
> Hello Eyal,
>
> Thank you for reporting this issue and for your extensive analysis.
> Please, use
> CVE-2016-8633 for this issue. We'll treat this issue as embargoed for now.
>
> Best Regards,
>
> --
> Adam Mariš / Red Hat Product Security
>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.