Conversation
|
LGTM, though I guess publishing the report counts as public disclosure of the double-volume issue. |
|
@cyphar is there a fix in flight for the issue yet? |
|
@caniszczyk I'm still working on it. I'll try to arrange a hotfix, but as mentioned on the mailing list the only real solution is to wholesale port everything to libpathrs (which is going to take a while). EDIT: Also this report has a slight inaccuracy when talking about the double-volume bug -- there are actually two ways to mount over a file descriptor (you just mount over |
|
CVE-2019-19921 has been assigned for the issue. |
|
@cyphar, when will be details on CVE-2019-19921 be public? I see the CVE is as well mentioned in https://lore.kernel.org/stable/20191230052036.8765-2-cyphar@cyphar.com/ Edit: nevermind, I see the Security-Audit.pdf contains the report and is accessible. |
|
@carnil I plan to (re)publish the details on the relevant security mailing lists after I have a PR open for the issue (there won't be an embargo because it was publicly disclosed by this PR). |
|
Here's the original report: #2197 |
|
needs a rebase |
|
LGTM |
86f246a to
c0b301a
Compare
|
@caniszczyk You merged LGTM. |
Signed-off-by: Amye Scavarda Perrin <amye@linuxfoundation.org>
Signed-off-by: Amye Scavarda Perrin <amye@linuxfoundation.org> Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
c0b301a to
7d23d1e
Compare
|
Travis failure was because @amye's |
|
LGTM. |
|
Removing redundant checks++ |
|
And now PullApprove is broken. 😡 Screw it, I'm just going to merge once Travis succeeds and count @caniszczyk's LGTM as applying to the newest commits. |
Adding security audit, editing readme with new security.md file.
This would be super to pass the DCO bot as everything matches now. :)