oss-security - Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <2025100255-cage-squall-f003@gregkh>
Date: Thu, 2 Oct 2025 16:34:26 +0200
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Re: Linux kernel: HFS+ filesystem
 implementation, issues, exposure in distros

On Thu, Oct 02, 2025 at 03:11:17PM +0200, Attila Szasz wrote:
> 
> For the sake of product security folks who rely on consistency: the Linux
> CNA recently registered a batch of HFS/HFS+ CVEs that require manipulating
> malformed filesystems as a first step. This seems inconsistent with how
> similar cases were previously handled.

If you feel the Linux CNA has issued CVEs in an inconsistent way, please
contact them and the people there will be glad to research the issue and
get back to you.  They are issuing, on average, 13 CVEs a day, and so
stuff like this easily gets lost in the firehose.

The Linux CNA is also currently "backfilling" many old CVE entries that
previously came from the GSD database, and perhaps the issues you are
referring to came from there.  If so, again, please contact them and
they will be glad to discuss it.

thanks,

greg k-h

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.