Re: CVE-2017-7874 versus CVE-2009-1185 ?

[Marcus Meissner <meissner () suse de>]

On Wed, Apr 19, 2017 at 11:21:24AM +0200, Sebastian Krahmer wrote:
> Hi
>
>
> I stumbled across https://twitter.com/info_dox/status/854372066228932609
> that is curious about an udev+kernel exploit
> (https://packetstormsecurity.com/files/142152/Linux-Kernel-4.8.0-udev-232-Privilege-Escalation.html)
>
> which claims to exploit a missing sender-check within udev. That makes
> me wonder, as kernel 4.8.0 (and even earlier) no longer allow users
> to send NETLINK_KOBJECT_UEVENT messages. Our testcases fail,
> as they should:
>
> https://bugzilla.suse.com/show_bug.cgi?id=1034330
>
>
> However, MITRE apparently assigned a valid CVE for it:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7874
>
> So either we miss some weird corner case or the CVE is invalid
> and should be withdrawn?

I think the reporter is incorrect and it should be retracted. I tried emailing 
him, but got no reply on this issue so far.

Ciao, Marcus