Re: CVE request - Linux kernel: VFAT slab-based buffer overflow

[Yves-Alexis Perez <corsac () debian org>]

On mer., 2013-02-27 at 13:44 -0800, Greg KH wrote:
> On Wed, Feb 27, 2013 at 10:26:16PM +0100, Yves-Alexis Perez wrote:
> > On mer., 2013-02-27 at 10:05 -0800, Greg KH wrote:
> > > Yes, I need someone to actually do this.  There used to be a Red Hat
> > > security team member that did this, or so I thought.  What happened to
> > > that process?  I'll ask on security () kernel org if someone wants to
> > > volunteer to do this, but if not, are you, or anyone else you
> > > know/trust
> > > willing to do so?
> >
> > And do you think it'd be possible to have the same kind of notifications
> > for (know security) issues not on security@k.o but committed to the
> > tree?
>
> That's the whole problem here, who is going to do such a classification,
> and after that, the notification?  The first part is the toughest to do,
> as discussed elsewhere in this thread.

I might have been not clear, but I was merely speaking of *already
known* security issues, not “to be classified (or not)” ones. I do know
classification is hard, but if I understand correctly:

- there are issues which are known to be security ones at commit times
- some of them have been sent before to security@k.o
- some of them have not because subsystems maintainers don't want (like
networking) to go through that alias (why?)

I was merely speaking of those latter issues.

Regards,
-- 
Yves-Alexis

Attachment: signature.asc
Description: This is a digitally signed message part