Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20141211182730.GA11928@kroah.com>
Date: Thu, 11 Dec 2014 13:27:30 -0500
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Subject: Re: PIE bypass using VDSO ASLR weakness

On Thu, Dec 11, 2014 at 06:23:23PM +0100, Hanno Böck wrote:
> On Thu, 11 Dec 2014 11:15:44 +0530
> Reno Robert <renorobert@...il.com> wrote:
> 
> > Given that ASLR is not effective in VDSO and comes down to 11 quality
> > bits as per pax test making return-to-vdso feasible even for PIE
> > binary, whether this should be considered as a bug and CVE be
> > assigned?
> 
> I opened a bug in the kernel's bugtracker:
> https://bugzilla.kernel.org/show_bug.cgi?id=89591

Don't do that, stick to the linux-kernel mailing list, cc:ing the proper
developers involved.  I say this as most kernel subsystems do not use
bugzilla.kernel.org (USB and Networking are two examples), while others
use it heavily (like ACPI).

For "core" issues like this, stick to the mailing lists, they work
better.

Actually, for "security" stuff, use the security@...nel.org alias,
that's the best way to get a quick response.

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.