On Tue, Mar 05, 2019 at 10:00:39AM +0100, Thibaut Sautereau wrote:
On Tue, Mar 05, 2019 at 07:20:20AM +0100, Greg KH wrote:
On Mon, Mar 04, 2019 at 11:17:38PM +0100, Thibaut Sautereau wrote:
Commit f612acfae86af7ecad754ae6a46019be9da05b8e upstream ("exec: Fix mem leak in kernel_read_file"), addressing CVE-2019-8980, should be applied to 4.20, 4.19, 4.14 and 4.9 stable kernels.
Any reason you didn't cc: the authors of that patch?
No, I just forgot, sorry for that.
And as it _just_ went into Linus's tree today, give us a few weeks to get it backported...
Also, it's just a "normal" syzbot fix, for a very rare case, why is this a CVE?
I don't know (I'm not the one who requested a CVE), but I saw that this patch had been backported in Arch Linux's kernels to address CVE-2019-8980 [1] and that stable@kernel.org hadn't been put in Cc:.
As the fix was already waiting in a pull-request [2] from Al Viro, I thought it was too late to notice the author about Ccing stable, therefore I followed option 2 of Documentation/process/stable-kernel-rules.rst to ensure it would not fall through the cracks.
If that was the wrong way to do it, please tell me what I should have done in this case.
No, this is fine, just next time you should cc: the developers as well.
Also, this needs to go to 5.0.y, now queued up.
greg k-h