Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros

[Sasha Levin <sashal () kernel org>]

On Sat, Jun 07, 2025 at 10:17:08AM +0200, Greg KH wrote:
> On Fri, Jun 06, 2025 at 06:00:09PM +0200, Attila Szasz wrote:
> > I don't see how Canonical Product Security is a bad actor here for caring
> > about the actual security of downstream users and acting in a timely
> > manner about an issue that they considered to impact Ubuntu Linux,
> > correctly.
> >
> > Canonical has a scope of
> > "All Canonical issues (including Ubuntu Linux) only."
> >
> > kernel.rg has a scope of
> > "Any vulnerabilities in the Linux kernel as listed on kernel.org, excluding
> > end-of-life (EOL) versions."
> >
> > Both of them were contacted.
>
> For the record, the CNA for kernel.org was NOT contacted here at all for
> this issue.  You sent a message to security () kernel org, NOT
> cve () kernel org.  security@k.o has nothing to do with CVE assignments and
> is NOT responsible for the kernel.org CNA.  Our documentation should
> state this very clearly, if not, we will be glad to update it where
> needed, just let us know.

The scope, which I assume was quoted from
https://www.cve.org/PartnerInformation/ListofPartners/partner/Linux also
lists cve () kernel org as the right email to contact.

Note that this isn't just a technicality: for example, I'm a member of
cve@k.o, but *NOT* of security@k.o.

The first I learned of this issue was your Linkedin post[1] after this
was already assigned a CVE from Canonical.


[1] 
https://www.linkedin.com/posts/attila-sz%C3%A1sz-086abb122_ssd-advisory-linux-kernel-hfsplus-slab-out-of-bounds-activity-7307735032729690113-Y8uY

--
Thanks,
Sasha