Date: Mon, 2 Mar 2009 17:49:55 -0500 (EST) From: "Steven M. Christey" <coley@...us.mitre.org> To: Eugene Teo <eugene@...hat.com> cc: oss-security@...ts.openwall.com, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request: kernel: memory disclosure in SO_BSDCOMPAT gsopt On Wed, 25 Feb 2009, Eugene Teo wrote: > Eugene Teo wrote: > > [...] > > The fix for CVE-2009-0676 (upstream commit df0bca04) is incomplete. Note > > that the same problem of leaking kernel memory will reappear if someone > > on some architecture uses struct timeval with some internal padding (for > > example tv_sec 64-bit and tv_usec 32-bit) --- then, you are going to > > leak the padded bytes to userspace. Is this going to require a separate CVE identifier? If a new minor version of the kernel wasn't released yet, then I'd consider the fix to be little more than a couple patch-discussion messages in a single Bugzilla entry. - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ