Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20111223211218.GA19763@openwall.com>
Date: Sat, 24 Dec 2011 01:12:18 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Status of two Linux kernel issues w/o CVE assignments

On Fri, Dec 23, 2011 at 01:52:24PM -0700, Kurt Seifried wrote:
> On 12/22/2011 09:44 AM, Moritz Muehlenhoff wrote:
> >2: /proc/$PID/{sched,schedstat} information leak
> >Vasiliy Kulikov of OpenWall posted a demo exploit.
> >http://openwall.com/lists/oss-security/2011/11/05/3
> >
> >AFAICS no CVE ID was assigned to this?
> 
> I believe we are not assigning CVE's for these types of proc related 
> issues, some discussion was had:
> 
> https://lkml.org/lkml/2011/2/7/368

For "these types" (what types?) of proc related issues, or for all
infoleak issues related to procfs?  To me, a timing attack based on data
in a world-readable proc file is totally different from a data leak via
fd preserved across SUID exec.  Thus, a CVE (non-)assignment decision
for one of these should have nothing to do with CVE (non-)assignment for
the other.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.