Date: Wed, 19 Apr 2017 13:22:47 +0200 From: Marcus Meissner <meissner@...e.de> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: CVE-2017-7874 versus CVE-2009-1185 ? On Wed, Apr 19, 2017 at 11:21:24AM +0200, Sebastian Krahmer wrote: > Hi > > > I stumbled across https://twitter.com/info_dox/status/854372066228932609 > that is curious about an udev+kernel exploit > (https://packetstormsecurity.com/files/142152/Linux-Kernel-4.8.0-udev-232-Privilege-Escalation.html) > > which claims to exploit a missing sender-check within udev. That makes > me wonder, as kernel 4.8.0 (and even earlier) no longer allow users > to send NETLINK_KOBJECT_UEVENT messages. Our testcases fail, > as they should: > > https://bugzilla.suse.com/show_bug.cgi?id=1034330 > > > However, MITRE apparently assigned a valid CVE for it: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7874 > > So either we miss some weird corner case or the CVE is invalid > and should be withdrawn? I think the reporter is incorrect and it should be retracted. I tried emailing him, but got no reply on this issue so far. Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ