Re: CVE Clarification: OpenFabrics ofed stack also contains RDS protocol

[Josh Bressers <bressers () redhat com>]

----- "Marcus Meissner" <meissner () suse de> wrote:

> Hi,
>
> The openfabrics remote messaging / dma stack also contains the RDS
> protocol family module (actually it seems to be the originator before it
> came into mainline).
>
> It is in the ofa_kernel package, and SUSE ships it e.g. in the "ofed"
> packages.
>
>
> The net/rds/ code inside of it is pretty much the same as the Linux
> kernel module. It also is autoloading with module aliases.
>
> CVE-2010-3904 seems to be there up to the latest version after
> looking
> at the code (I tried the 1.4 version).
>
> CVE-2010-3865 seems to be present in some versions, but not in the
> latest version. Unverified.
>
>
> Does this need new CVEs? The projects are different, but the history
> seems clear and the code basically the same.

If the code is the same, then you can reuse the CVE id. We see this for
example when various PDF CVE ids get shared between xpdf and poppler.

If it's the same flaw, but essentially different code, they need new IDs.

> From what you describe, it sounds like they are the same, as your package
is the parent of what upstream currently has.

If you think it needs some though, let me know.

Thanks.

-- 
    JB