Re: Status of two Linux kernel issues w/o CVE assignments

[Michael Gilbert <michael.s.gilbert () gmail com>]

On Fri, Dec 23, 2011 at 3:52 PM, Kurt Seifried wrote:
> On 12/22/2011 09:44 AM, Moritz Muehlenhoff wrote:
> > Hi,
> > there were a two Linux-related CVE requests/discussions, which
> > didn't end up in an assignment:
> >
> > 1: rose: Add length checks to CALL_REQUEST parsing
> > e0bccd315db0c2f919e7fcf9cb60db21d9986f52 in mainline
> >
> > It was decided that this should be split, but without a final
> > resulting CVE assignment:
> > http://www.openwall.com/lists/oss-security/2011/04/12/1
>
>
> Can anyone shed more light on this for me? (links to fixes/etc.?).

As stated in Moritz's original message, the linux kernel git commit id
is e0bccd315.  Here is a link directly to a message with the patch:
http://marc.info/?l=linux-netdev&m=130063972406389&w=2

> > 2: /proc/$PID/{sched,schedstat} information leak
> > Vasiliy Kulikov of OpenWall posted a demo exploit.
> > http://openwall.com/lists/oss-security/2011/11/05/3
> >
> > AFAICS no CVE ID was assigned to this?
>
>
> I believe we are not assigning CVE's for these types of proc related issues,
> some discussion was had:

Infoleaks certainly do get an id as they are considered an exposure
(i.e. they make an exploiters job easier); as in Common
Vulnerabilities and Exposures (CVE):
http://cve.mitre.org

Best wishes,
Mike