Re: CVE request: Kernel PID Spoofing Privilege Escalation Vulnerability

[Dan Carpenter <dan.carpenter () oracle com>]

On Wed, Sep 04, 2013 at 08:30:05PM -0600, Kurt Seifried wrote:
> Please use CVE-2013-4300 for this issue.
>
> Stupid Q, any reason why this couldn't be sent to
> http://oss-security.openwall.org/wiki/mailing-lists/distros to give
> vendors a heads up (also we can get it a CVE prior to public release
> then)?

The original patch was sent to netdev and lkml publicly from the start.

https://lkml.org/lkml/2013/8/22/462

We do have someone who is supposed to forwarding security bugs from
security () kernel org to distros.  I'm not on distros but apparently this
wasn't happening properly so we've recently assigned another person to
help with this.

We're reviewing our security policies for the during the kernel summit,
in October btw.  So far the main points are that people want less
secrecy and more public reviews and better testing.  Kees wants to keep
a record of CVEs in the kernel.

https://lists.linuxfoundation.org/pipermail/ksummit-2013-discuss/2013-August/001050.html

It's not clear if anything will actually change though.

regards,
dan carpenter