Re: CVE request - Linux kernel: VFAT slab-based buffer overflow

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/26/2013 04:05 PM, Jason A. Donenfeld wrote:
> On Tue, Feb 26, 2013 at 10:05 PM, Kurt Seifried
> > The problem with security is you have to basically do it 100% 
> > correctly 100% of the time, otherwise things fall through the
> > cracks (like this VFAT thing).
>
> Also, what about the tmpfs one from yesterday? Nobody involved in
> the patch reported that as a security bug to this list, until I saw
> it myself, just by chance, as a random person on the internet, and
> posted it to the list. In that case, it was clearly marked
> "use-after-free", but nobody involved requested a CVE.

That's my point. We're not doing this 100% of the time 100% correctly
due to resource constraints, and I highly doubt we ever will, again
due to resource constraints. That and reality, proving negatives is
hard and all that.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRLabBAAoJEBYNRVNeJnmT2qsQANeImRW8lghq8GbUC8XRo6CY
OFybn2zn9pFQwB/hdlkq9ziXVwv0LiyRPkOLy89+FxC0TuTTYCb5Pa2bmowgLmVW
52IqinnNuW2IpFG5njNC0i0YDWekYXg++kzpBDWmmGGhW4CxlvS8prI14c/xTgaR
1CEQblDWs4HGru1ieKVTdLZRKTvXQo+HGvVjYHTAdh/4OPwnlDz9KS+q55qbLeKC
E5D398Tz0cR4vPh0SgXoeMEezjAQgbcGB34CQpN/YLmwGozTzo0VOwh3EAh966Ja
wsbWil0sFSfl8CAGf72C53q4o+zFExmhMLzCD50ytyl7P1lmS5JK+NPlg0YPHEB2
24vv/65pyg5QSWfrZC7a/auo7y0CzNavDoJNzO2WENdsYF1M/UyycUwzI92O+Sdv
5ALo3t89pedtVgfyUVRyBa4+dUTJcT/ym4rBcLcqsPGdUN9tZtYQd1P7t7eQCicM
r0y/+vMRYkG3QEyLvvVKGrU/Kap+64vjfV6bF/ZrtIOrn4kNZoL1Rq6qEWD6u97k
Mr0y0ur3KlAH24R72H1fdOgMkXjGOCVvKWh/4OaNlV0vpvw5NfiEfppuND87ZRzA
Dxjr7K0HycCRrjBhX8ZBq1OikoKDgx/48D8pk+XmhERbpt+bL5GmJjMZaCDQOgvx
JgqgVa2ZfZlzitfaThU9
=UfRA
-----END PGP SIGNATURE-----