Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 30 Jan 2024 15:01:24 -0800
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Subject: Re: FWD: Kernel vulnerabilities CVE-2021-33630 &
 CVE-2021-33631

On Tue, Jan 30, 2024 at 10:45:00PM +0100, Solar Designer wrote:
> Thank you Greg for looking into these issues.  It's great that most
> longterm kernel trees appear already fixed.

I've taken the one remaining missing fix into the next round of kernel
releases, so all should be good now.

> For CVE-2021-33631 (the ext4 BUG), both the distro vendor's and NVD's
> CVSS input vectors specify AV:L/AC:L/PR:L/UI:N, which means the
> vulnerability can be triggered by a local system user at will and
> without additional privileges.  I'd say that deliberately getting the
> kernel to work on a corrupted filesystem requires at least one of:
> physical access (AV:P) or privileges on the system (PR:H) or user
> interaction (UI:R).  However, there's no way to encode this in one CVSS
> vector.  Also, in the physical access case, at least the availability
> impact typically does not apply (would be A:N).

The "interesting" thing here is that the project in question (the
kernel) does not consider "mounting a corrupted filesystem" as a real
attack vector at all.  There's been long discussions about it, the most
recent being last year on the kernel summit discuss mailing list, and at
the kernel summit itself.

So while CVSS might consider this a real issue, the developers of the
project itself do not.  The disconnect is one that drives people who use
sysbot tools to create fancy corrupted filesystem images with the goal
of getting a CVE for their CV, crazy on a weekly basis when the issues
they report get constantly ignored.

Good times :)

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.