Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Jan 2024 15:01:24 -0800
From: Greg KH <>
Subject: Re: FWD: Kernel vulnerabilities CVE-2021-33630 &

On Tue, Jan 30, 2024 at 10:45:00PM +0100, Solar Designer wrote:
> Thank you Greg for looking into these issues.  It's great that most
> longterm kernel trees appear already fixed.

I've taken the one remaining missing fix into the next round of kernel
releases, so all should be good now.

> For CVE-2021-33631 (the ext4 BUG), both the distro vendor's and NVD's
> CVSS input vectors specify AV:L/AC:L/PR:L/UI:N, which means the
> vulnerability can be triggered by a local system user at will and
> without additional privileges.  I'd say that deliberately getting the
> kernel to work on a corrupted filesystem requires at least one of:
> physical access (AV:P) or privileges on the system (PR:H) or user
> interaction (UI:R).  However, there's no way to encode this in one CVSS
> vector.  Also, in the physical access case, at least the availability
> impact typically does not apply (would be A:N).

The "interesting" thing here is that the project in question (the
kernel) does not consider "mounting a corrupted filesystem" as a real
attack vector at all.  There's been long discussions about it, the most
recent being last year on the kernel summit discuss mailing list, and at
the kernel summit itself.

So while CVSS might consider this a real issue, the developers of the
project itself do not.  The disconnect is one that drives people who use
sysbot tools to create fancy corrupted filesystem images with the goal
of getting a CVE for their CV, crazy on a weekly basis when the issues
they report get constantly ignored.

Good times :)


greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.