Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAA=iMUKJ2gz4iAWTSGqmi4Smai+PH7GEG6zaYzFvDSiLyRZE+w@mail.gmail.com>
Date: Sun, 6 Nov 2016 21:50:35 +0200
From: Eyal Itkin <eyal.itkin@...il.com>
To: secalert@...hat.com
Cc: oss-security@...ts.openwall.com
Subject: Re: [engineering.redhat.com #426293] CVE Request - firewire driver
 RCE - linux 4.8

Hello,

The security patch was deployed yesterday in the official git repository of
linux, after the fix was reviewed and approved by me.
Therefore, CVE 2016-8633 can now be publicly disclosed.

Commit id of the fix:
    667121ace9dbafb368618dbabcf07901c962ddac
    https://git.kernel.org/linus/667121ace9db

Commit id of the mainline merge:
    03daa36f089f31002a2d0fb22088d3ebe3e28d98
    https://git.kernel.org/linus/03daa36f089f

Public disclosure details in my security blog:
    https://eyalitkin.wordpress.com/2016/11/06/cve-
publication-cve-2016-8633/

P.S. I CCed oss-security since in a second CVE (not public yet) I was told
by your colleague to send the publication request to oss-security.

Thanks for your help,
Eyal Itkin.

On Thu, Nov 3, 2016 at 1:03 PM, Red Hat Product Security <
secalert@...hat.com> wrote:

> On Wed Nov 02 22:41:25 2016, eyal.itkin@...il.com wrote:
> > Hello,
> >
> > In a short security audit i made to the firewire driver in the linux
> > kernel, version 4.8, I found severe security vulnerabilities.
> >
> > After contacting security@...nel.org, the driver's contributors have
> > confirmed my findings and have written a patch that fixes the
> > vulnerability:
> >
> > http://git.kernel.org/cgit/linux/kernel/git/ieee1394/
> > linux1394.git/commit/?h=testing&id=ff89027279ec57d69797cbae7c6816
> 72f1dbea71
> >
> > [...]
>
> Hello Eyal,
>
> Thank you for reporting this issue and for your extensive analysis.
> Please, use
> CVE-2016-8633 for this issue. We'll treat this issue as embargoed for now.
>
> Best Regards,
>
> --
> Adam Mariš / Red Hat Product Security
>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.