[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2021-20177 kernel: iptables string match rule could result in kernel panic
From:       Greg KH <greg () kroah ! com>
Date:       2021-01-12 8:04:49
Message-ID: X/1YIT59FZ7clijT () kroah ! com
[Download RAW message or body]

On Tue, Jan 12, 2021 at 04:58:07PM +1000, Wade Mealing wrote:
> Gday,
> 
> A flaw was found in the Linux kernels implementation of string matching
> within a packet. A privileged user
> (with root or CAP_NET_ADMIN ) when inserting iptables rules could insert a
> rule which can panic the system.
> 
> Likely a user with these permissions could do worse, however it crashes the
> system (DOS) and the user is going to have a bad day
> especially if the rule is inserted and restored on every boot.
> 
> At this time it doesn't affect RHEL releases, and there are fixes already
> in multiple upstream trees.
> 
> Thanks,
> 
> Wade Mealing
> 
> Upstream patch:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ca58fbe06c54
> 
> Upstream bugzilla:
> https://bugzilla.kernel.org/show_bug.cgi?id=209823
> 
> Red Hat Bugzilla:
> https://bugzilla.redhat.com/show_bug.cgi?id=1914719

I still do not understand why you report issues that are fixed over a
year ago (October 2019) and assign them a CVE like this.  Who does this
help out?  And what about the thousands of other issues that are fixed
in the kernel and not assigned a CVE like this, are they somehow not as
important to your group?

What determines what you want to give a CVE to and what you do not?

thanks,

greg k-h
[prev in list] [next in list] [prev in thread] [next in thread]