Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 17 Apr 2010 23:26:46 -0400
From: Michael Gilbert <michael.s.gilbert@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: kernel: hvc_console: Fix race between hvc_close
 and hvc_remove

On Sat, 17 Apr 2010 18:15:42 -0400 Michael Gilbert wrote:

> On Thu, 04 Mar 2010 17:03:58 +0800 Eugene Teo wrote:
> 
> > Heads-up. You might want to backport this if your kernel is affected. We 
> > are not requesting a CVE name for this as it does not affect any of our 
> > Red Hat supported kernels.
> 
> are you sure about this?  i see the vulnerable code upstream in both
> 2.6.26 and 2.6.32.  does redhat not ship hvc in their kernels?  i think
> this should get a cve id because the more vanilla distros will have
> shipped with this included.

i see that hvc_console is disabled by default in the debian kernels,
and i assume it is the same for the redhat kernels.

are issues in features that are disabled by default generally treated
as unimportant? there are bound to be a (perhaps small) subset of users
turning these features on; exposing themselves to more risk if these
issues go unfixed. i suppose cve assignment depends on whether or not
there is an expectation to protect those users in addition to
defaults-using users. 

mike

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ