Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1

[Theodore Ts'o]

It looks like this CVE hasn't been revoked yet, at least per
nvd.nist.gov?  Is that the best way to check kernel CVE's status?

Thanks,
					- Ted
					

On Tue, Dec 10, 2024 at 06:08:46AM +0000, Siddh Raman Pant wrote:
> On Mon, Dec 09 2024 at 21:56:23 +0530, Theodore Ts'o wrote:
> > On Mon, Dec 09, 2024 at 02:08:02PM +0100, gregkh@xxxxxxxxxxxxxxxxxxx wrote:
> > > Ok, so should it be revoked?
> 
> Yes, as this was an incorrect attempt at fixing CVE-2024-42305.
> 
> > We're not aware of a way of triggering the OOB error, so in that sense
> > the CVE is not valid.  There might be a way that someone might be able
> > to trigger it in the future; in that hypothetical future, there might
> > be some other fix that would address the root cause, but this would be
> > a belt and suspenders thing that might prevent that (hypothetical)
> > future.  So in that sense, it is highly commended that enterprise
> > distros and people who are not following the LTS kernels take this
> > patch.  But is it actually fixing a known vulnerability today?  Not
> > that we know of.
> > 
> > Cheers,
> > 
> > 						- Ted
> > 
> > P.S.  If some security researcher wants to find such a way, to educate
> > people on why using LTS kernels is superior, they should feel free to
> > consider this a challenge.  :-P
> 
> I agree.
> 
> Thanks,
> Siddh