oss-sec mailing list archives
Re: [engineering.redhat.com #426293] CVE Request - firewire driver RCE - linux 4.8
From: Eyal Itkin <eyal.itkin () gmail com>
Date: Sun, 6 Nov 2016 21:50:35 +0200
Hello, The security patch was deployed yesterday in the official git repository of linux, after the fix was reviewed and approved by me. Therefore, CVE 2016-8633 can now be publicly disclosed. Commit id of the fix: 667121ace9dbafb368618dbabcf07901c962ddac https://git.kernel.org/linus/667121ace9db Commit id of the mainline merge: 03daa36f089f31002a2d0fb22088d3ebe3e28d98 https://git.kernel.org/linus/03daa36f089f Public disclosure details in my security blog: https://eyalitkin.wordpress.com/2016/11/06/cve- publication-cve-2016-8633/ P.S. I CCed oss-security since in a second CVE (not public yet) I was told by your colleague to send the publication request to oss-security. Thanks for your help, Eyal Itkin. On Thu, Nov 3, 2016 at 1:03 PM, Red Hat Product Security < secalert () redhat com> wrote:
On Wed Nov 02 22:41:25 2016, eyal.itkin () gmail com wrote:Hello, In a short security audit i made to the firewire driver in the linux kernel, version 4.8, I found severe security vulnerabilities. After contacting security () kernel org, the driver's contributors have confirmed my findings and have written a patch that fixes the vulnerability: http://git.kernel.org/cgit/linux/kernel/git/ieee1394/ linux1394.git/commit/?h=testing&id=ff89027279ec57d69797cbae7c681672f1dbea71[...]Hello Eyal, Thank you for reporting this issue and for your extensive analysis. Please, use CVE-2016-8633 for this issue. We'll treat this issue as embargoed for now. Best Regards, -- Adam Mariš / Red Hat Product Security
Current thread:
- Re: [engineering.redhat.com #426293] CVE Request - firewire driver RCE - linux 4.8 Eyal Itkin (Nov 06)