XFS security fix never sent to -stable?
Josh Boyer
jwboyer at fedoraproject.org
Tue Dec 10 07:15:32 CST 2013
On Tue, Dec 10, 2013 at 2:56 AM, Greg KH <gregkh at linuxfoundation.org> wrote:
> On Tue, Dec 10, 2013 at 10:55:23AM +1100, Dave Chinner wrote:
>> [cc xfs list, cc stable at vger.kernel.org]
>>
>> On Mon, Dec 09, 2013 at 08:17:09AM -0500, Josh Boyer wrote:
>> > On Mon, Dec 9, 2013 at 7:15 AM, Luis Henriques
>> > <luis.henriques at canonical.com> wrote:
>> > > On Thu, Dec 05, 2013 at 04:35:50PM -0800, Kees Cook wrote:
>> > >> Hi,
>> > >>
>> > >> It looks like 8c567a7fab6e086a0284eee2db82348521e7120c ("xfs: add
>> > >> capability check to free eofblocks ioctl") is a security fix that was
>> > >> never sent to -stable? From what I can see, it was introduced in 3.8
>> > >> by 8ca149de80478441352a8622ea15fae7de703ced ("xfs: add
>> > >> XFS_IOC_FREE_EOFBLOCKS ioctl").
>> > >>
>> > >> I don't see this in the 3.8.y tree. Should it be added there and newer?
>> > >
>> > > Thanks Kees, I'm queuing it for the 3.11 kernel.
>> >
>> > There's also this one:
>> >
>> > http://thread.gmane.org/gmane.comp.file-systems.xfs.general/57654
>> >
>> > It fixes CVE-2013-6382
>>
>> First I've heard about it there being a CVE for that bug. Since when
>> has it been considered best practice to publish CVEs without first
>> (or ever) directly contacting the relevant upstream developers?
>>
>> But, regardless of how broken I think the CVE process is, commit
>> 071c529 ("xfs: underflow bug in xfs_attrlist_by_handle()") should be
>> picked up by the stable kernels.
>
> I don't see that commit in Linus's tree, is it not there yet?
Not yet. Ben said it's applied but I'm not sure where that is.
josh
More information about the xfs
mailing list