oss-sec mailing list archives
Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver
From: Greg KH <greg () kroah com>
Date: Wed, 8 Nov 2017 10:15:17 +0100
On Tue, Nov 07, 2017 at 08:30:05PM +0000, Maier, Kurt H wrote:
On Tue, 2017-11-07 at 21:22 +0100, Greg KH wrote:I hate to ask, but why are you getting CVEs for bugs fixed over a year ago, and are already in all stable kernel releases a year ago? Why does it matter? Unless you happen to have a product that doesn't ever do kernel updates from the stable trees, and well, then you know what you are doing and don't need CVEs assigned either, right? :)Kernel maintainers' policy is clear, and nobody is asking for that to change, but please don't sandbag the process of keeping track of vulnerabilities. The fraction of "products" (regardless of vendor) that run linux and never get updates approaches unity. Being able to precisely catalog which linux releases suffer from which vulnerabilities is useful to many.
Well, I'm working on fixing the "devices do not get updates" issue through other means, so don't just give up on that one just yet :) As for the "keep track of vulnerabilities", is that what is really happening here? Why pick a random bug fix from over a year ago for a CVE vs. the 100 other bugfixes in the past few weeks/months? I'm really curious as to what triggered this specific CVE request that somehow misses the hundreds/thousands of other fixes that land in newer kernel releases? thanks, greg k-h
Current thread:
- CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Vladis Dronov (Nov 07)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 07)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Maier, Kurt H (Nov 07)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 08)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver David A. Wheeler (Nov 09)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Stiepan (Nov 10)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Amos Jeffries (Nov 11)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Stuart Gathman (Nov 11)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Maier, Kurt H (Nov 07)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 07)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Vladis Dronov (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver David A. Wheeler (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Brad Spengler (Nov 14)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Eddie Chapman (Nov 14)