Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <YXf+cEN0OPEtqP7K@mussarela>
Date: Tue, 26 Oct 2021 10:11:12 -0300
From: Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
To: oss-security@...ts.openwall.com
Cc: Lin Horse <kylin.formalin@...il.com>
Subject: Re: CVE-2021-3760: Linux kernel: Use-After-Free
 vulnerability of ndev->rf_conn_info object

On Tue, Oct 26, 2021 at 02:30:18PM +0200, Solar Designer wrote:
> On Tue, Oct 26, 2021 at 08:14:20PM +0800, Lin Horse wrote:
> > The commit for the fix is 1b1499a817c90fd1ce9453a2c98d2a01cca0e775 (link:
> > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1b1499a817c90fd1ce9453a2c98d2a01cca0e775
> > )
> 
> Thanks.  Looks like the same fix you already shared on September 1.
> 
> I also found this was (first?) made public on Linux kernel mailing lists
> (linux-nfc, netdev, linux-kernel) on October 7 by someone from Canonical
> (and Lin was CC'ed):
> 
> https://lists.openwall.net/netdev/2021/10/07/239
> 
> Canonical didn't break the embargo there because it was supposed to be
> already over by then, however I think it was their opportunity to remind
> about the need to make the oss-security posting, or to make the posting
> themselves.  Speaking of which, I think SUSE (as they first reminded) or

Krzysztof Kozlowski is the current NFC maintainer, so I asked him, and he
confirmed that he was on Cc when/after this was reported to
security@...nel.org. So, this was independent from the reports that were
gone through linux-distros.

He was not aware that this was brought to linux-distros and I am not sure
he is familiar with its policy as he is not a member.

I don't think we should expect an upstream maintainer to notify
oss-security and need to rely on the other methods you already mentioned to
make sure we notice when things have gone public.

Cascardo.

> Gentoo or Amazon (as they're tasked with this) could and should have
> brought this to oss-security shortly after Lin didn't reply to the
> September 17 reminder.  To send a reminder and forget for another month
> isn't a reliable approach.
> 
> Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.