[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege es
From:       Norbert Slusarek <nslusarek () gmx ! net>
Date:       2022-06-30 20:12:46
Message-ID: trinity-899166b1-0752-4850-abb1-9b7f19201378-1656619966440 () 3c-app-gmx-bs04
[Download RAW message or body]

>I'm attaching Norbert's exploit (lpe.c) that was attached to his May 12
>notification to linux-distros. We're now one month past the due date
>for Norbert's expected posting of this (should have been May 27, which
>is 7 days after public disclosure of the vulnerability on oss-security).
>
>Norbert, I would still appreciate a reply to the message below. I'm
>quoting it in full for context since it's been a month.
>
>Thanks,
>
>Alexander
>
>"If you shared exploit(s) that are not an essential part of the issue
>description, then at your option you may slightly delay posting them to
>oss-security but you must post the exploits to oss-security within at
>most 7 days of making the mandatory posting above. If you exercise this
>option, you have two mandatory postings to make: first with a
>sufficiently detailed issue description (as requested above) and with an
>announcement of your intent to post the exploits separately (please
>mention exactly when), and second with the exploits - or indeed you
>could have included the exploits right away, in your first and only
>mandatory posting."
>
>Did you read this before posting? If not, anything we should have done
>to ensure you'd have read it?

I missed it when I read the policy.
I think having all of the requirements structured in one place is a good
idea. Vegard's new page regarding reporting bugs in the Linux kernel
makes it clear which essential rules to follow for the Linux security
list as well as linux-distros and oss-security.

Norbert
[prev in list] [next in list] [prev in thread] [next in thread]