Re: [kernel-hardening] 2015 kernel CVEs

From: Eric W. Biederman
Date: Tue Jan 19 2016 - 17:56:46 EST

Next message: David Rientjes: "Re: [RFC 1/3] oom, sysrq: Skip over oom victims and killed tasks"
Previous message: Rusty Russell: "Re: [PATCH RESEND] driver-core: fix modparam async_probe request"
In reply to: Eric W. Biederman: "Re: [kernel-hardening] Re: 2015 kernel CVEs"
Next in thread: Jann Horn: "Re: [kernel-hardening] 2015 kernel CVEs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dan Carpenter <dan.carpenter@xxxxxxxxxx> writes:

> I like to look back over old CVEs to see how we could do better. Here
> is the list from 2015. I got most of this information from the Ubuntu
> CVE tracker. Thanks Ubuntu!. If it doesn't have a hash that means it
> might not be fixed yet.
>
> CVE-2015-8709 : ptrace: race in user namespaces let's users trace root processes

As this isn't a kernel bug, and is not a race, and no one has even
bothered to see if any userspace processes are this stupid I don't even
think that qualifies as a CVE.

There is room for improvement in this area but I don't see how this
qualifies as a CVE.

So for doing better I recommend a little more vetting and paying
attention before assigning CVEs.

Eric

Next message: David Rientjes: "Re: [RFC 1/3] oom, sysrq: Skip over oom victims and killed tasks"
Previous message: Rusty Russell: "Re: [PATCH RESEND] driver-core: fix modparam async_probe request"
In reply to: Eric W. Biederman: "Re: [kernel-hardening] Re: 2015 kernel CVEs"
Next in thread: Jann Horn: "Re: [kernel-hardening] 2015 kernel CVEs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]