[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] fs: pipe.c null pointer dereference - CVE-2009-3547


  • To: Shaun Reitan <mailinglists@xxxxxxxxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxx>
  • From: Keir Fraser <keir@xxxxxxx>
  • Date: Mon, 22 Nov 2010 19:24:18 +0000
  • Cc:
  • Delivery-date: Mon, 22 Nov 2010 11:25:21 -0800
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:user-agent:date:subject:from:to:message-id:thread-topic :thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; b=FR/OAd52c7pXwELA9bkGZR2X8MuxBtV5G8yA8L3UBkXkIURaV2qzhZuNsqrI+0lM3d 88tn/BWU3ftYdurMqcuWgVYOBQOUAHMCyuO+kLt6MK7S9OH5+sXWPJDHsXH7LucmqKZL kBs1Oug03p3OwltPKLLyCaVoY/mY5jzrytTEQ=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>
  • Thread-index: AcuKettLorl/5UWwIUurcvFqa1+4Dg==
  • Thread-topic: [Xen-devel] [PATCH] fs: pipe.c null pointer dereference - CVE-2009-3547

On 22/11/2010 16:27, "Shaun Reitan" <mailinglists@xxxxxxxxxxxxxxxx> wrote:

> We've been applying this patch since the fix was discovered but i just
> realized yesterday when building a new kernel that the Xen kernel does
> not have this fix applied yet.
> 
> I also have verified that this exploit works to gain root access on the
> current http://xenbits.xensource.com/linux-2.6.18-xen.hg branch

It has to be said, very clearly, that our 2.6.18 tree is only really of use
now as a repository of Xen patches for vendors to pull into their own,
*properly maintained and secured* kernels. We are very interested in fixing
Xen-related security issues in our 2.6.18 tree (precisely because others use
it as a repository of good Xen patches). We are less interested in general
kernel fixes, although of course as a matter of good form we will consider a
security fix such as you propose. However, the patch you supplied does not
apply to the 2.6.18 tree.

 Thanks,
 Keir



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.