Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 19 Apr 2017 13:22:47 +0200
From: Marcus Meissner <>
Subject: Re: CVE-2017-7874 versus CVE-2009-1185 ?

On Wed, Apr 19, 2017 at 11:21:24AM +0200, Sebastian Krahmer wrote:
> Hi
> I stumbled across
> that is curious about an udev+kernel exploit
> (
> which claims to exploit a missing sender-check within udev. That makes
> me wonder, as kernel 4.8.0 (and even earlier) no longer allow users
> to send NETLINK_KOBJECT_UEVENT messages. Our testcases fail,
> as they should:
> However, MITRE apparently assigned a valid CVE for it:
> So either we miss some weird corner case or the CVE is invalid
> and should be withdrawn?

I think the reporter is incorrect and it should be retracted. I tried emailing 
him, but got no reply on this issue so far.

Ciao, Marcus

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ