[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: [security-linux] Re: [oss-security] CVE request - Linux Kernel
From:       Mark Hatle <mark.hatle () windriver ! com>
Date:       2010-04-29 16:24:28
Message-ID: 4BD9B2BC.4090404 () windriver ! com
[Download RAW message or body]

Eugene Teo wrote:
> On 04/29/2010 10:13 AM, Hui Zhu wrote:
>> Hi All,
>>
>> The problem is that if KGDB is enabled on a powerpc board, a
>> test that checks if a page is user or kernel is bypassed.
>> This means that a user can write to arbitrary kernel address space.
>>
>> Upon further investigation, we found that kernels older than
>> the v2.6.30-rc1 release have the same problem for non-booke
>> ppc chips (74xx, 8641D), so we need two patches for kernels
>> up to that date, and then one patch for ones after that date.

I'm sorry. This was a mistake on our part. We had intended to send the
information to vendor-sec and coordinate with other potentially affected
vendors. Then once a reasonable coordinated time had passed to send it to
security@kernel.org as well as oss-security and lkml.

Our standard procedure:

* contact vendor-sec and coordinate with other affected vendors
* send the information to the project specific security list
* once public send the information to:
    * oss-security@lists.openwall.com
    * other appropriate public project list(s)

Mark Hatle
Linux Security Incident Lead
Wind River Systems

> Hi Hui,
> 
> Just FYI, oss-security is a public mailing list. I noticed you have 
> already cc'ed the KGDB maintainer. If you are trying to report a kernel 
> security issue that is neither fixed not disclosed previously AFAIK, you 
> might want to try CC'ing security@kernel.org and LKML. Drop LKML if you 
> want to keep it private for a short period of time.
> 
> Thanks, Eugene


[prev in list] [next in list] [prev in thread] [next in thread]