Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038)

[rf () q-leap de]

> > > > > "SD" == Solar Designer <solar () openwall com> writes:

    SD> On Fri, Jan 31, 2014 at 05:34:05PM +0100, rf () q-leap de wrote:
    >> >>>>> "SD" == Solar Designer <solar () openwall com> writes:
    SD> This is CVE-2014-0038 (assigned shortly after Kees sent the
    SD> message below).

    >> Are you sure this is the correct CVE?

    SD> Pretty sure, yes.  I am not aware of a reason to think
    SD> otherwise.

    SD> It was kindly assigned by Petr Matousek (of Red Hat, even though
    SD> their products are not affected) on Wed, 29 Jan 2014 10:01:59
    SD> +0100.

OK, thanks for the fast explanation.

    >> It was assigned already beginning of Dec. last year.

    SD> The "assigned" date seen on CVE IDs often indicates when a pool
    SD> of CVE IDs was created and then assigned to a CNA (Red Hat in
    SD> this case), not when individual CVE IDs are assigned to actual
    SD> issues.  It is perfectly normal (albeit confusing) for the
    SD> "assigned" date to be earlier than the vulnerability discovery
    SD> date.  This was discussed in here before:

    SD> http://www.openwall.com/lists/oss-security/2012/01/23/4

    SD> CNAs:

    SD> http://cve.mitre.org/cve/cna.html

Sorry for the repetition, but I wasn't subscribed yet at the time or is
this a FAQ?