Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Linux kernel security hardening Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Wed, 20 Jan 2010 11:19:59 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request - kernel: untangle the do_mremap()
 mess

----- "Steven M. Christey" <coley@...us.mitre.org> wrote:
> On Wed, 20 Jan 2010, Eugene Teo wrote:
> 
> > Anyway, Al summarised the mess here:
> > http://marc.info/?l=linux-arch&m=126004438008670&w=2
> >
> > And the pile of upstream commits were meant to address the problems
> > described AFAIK. It will probably make more sense to associate all
> > these related commits to just one CVE name.
> 
> I defer to Josh on this, but in a series of patches that is referred to
> as "mremap/mmap mess" in some linux-kernel subject lines, for which a
> specialist like Eugene is not entirely certain about, in which some of
> the patches are assembly-level changes for individual architectures, and
> where few of the patch diffs make it clear what the underlying problem
> was - we could collectively spend a week of labor trying to figure
> everything out from a purist CVE perspective, or anchor on a single
> series of commits that are hopefully attached to a single kernel RC or
> minor version release.  I suspect the latter would be more helpful to the
> general CVE consumer community, so my recommendation is for a single CVE,
> assuming that all of these patches make it into a single kernel update.
> 

Let's use CVE-2010-0291 for this one.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ