Re: CVE-2021-20177 kernel: iptables string match rule could result in kernel panic

[Greg KH <greg () kroah com>]

On Tue, Jan 12, 2021 at 04:58:07PM +1000, Wade Mealing wrote:
> Gday,
>
> A flaw was found in the Linux kernels implementation of string matching
> within a packet. A privileged user
> (with root or CAP_NET_ADMIN ) when inserting iptables rules could insert a
> rule which can panic the system.
>
> Likely a user with these permissions could do worse, however it crashes the
> system (DOS) and the user is going to have a bad day
> especially if the rule is inserted and restored on every boot.
>
> At this time it doesn't affect RHEL releases, and there are fixes already
> in multiple upstream trees.
>
> Thanks,
>
> Wade Mealing
>
> Upstream patch:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ca58fbe06c54
>
> Upstream bugzilla:
> https://bugzilla.kernel.org/show_bug.cgi?id=209823
>
> Red Hat Bugzilla:
> https://bugzilla.redhat.com/show_bug.cgi?id=1914719

I still do not understand why you report issues that are fixed over a
year ago (October 2019) and assign them a CVE like this.  Who does this
help out?  And what about the thousands of other issues that are fixed
in the kernel and not assigned a CVE like this, are they somehow not as
important to your group?

What determines what you want to give a CVE to and what you do not?

thanks,

greg k-h