Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE request - Linux kernel: VFAT slab-based buffer overflow
From: Petr Matousek <pmatouse () redhat com>
Date: Wed, 27 Feb 2013 07:31:30 +0100

On Tue, Feb 26, 2013 at 09:03:46PM -0800, Greg KH wrote:
On Tue, Feb 26, 2013 at 11:41:53PM -0500, Michael Gilbert wrote:
Anyway, on a more serious note, at some point, acceptance will look
something like a real kernel-sec team that does essentially what you
just did, but on a continual basis: reviewing most/all commits for
potential security concerns and forwarding them to oss-sec to increase
identification and awareness to be applied downstream.

I will say flat out that this is an impossible task to accomplish.

As proof of that, I suggest you do this for just one major kernel
release cycle (2-3 months long).

You do know the number of patches applied to the Linux kernel every
hour, right?

Would you have caught the patch that started this thread?  I sure
didn't, and I was the one who originally applied it to the kernel tree
in the first place.  Doing "root-cause" research for every patch is
non-trivial, as I know you realize.

For starters, security () kernel org submissions should be posted to
oss-security or any other security related public mailing list when the
patch is being committed.

Petr Matousek / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]