Re: [PATCH] X.509: Fix the time validation [ver #3]

2015-12-11 Thread David Howells
Greg Kroah-Hartman wrote: > David, any reason you didn't put a cc: stable in the commit for it to be > picked up in the stable releases? I did cc it to stable. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of

Re: [PATCH] X.509: Fix the time validation [ver #3]

2015-12-11 Thread Josh Boyer
On Fri, Dec 11, 2015 at 6:13 AM, David Howells wrote: > Greg Kroah-Hartman wrote: > >> David, any reason you didn't put a cc: stable in the commit for it to be >> picked up in the stable releases? > > I did cc it to stable. You had the stable

Re: [PATCH] X.509: Fix the time validation [ver #3]

2015-12-10 Thread Alexander Holler
Am 12.11.2015 um 12:38 schrieb David Howells: This fixes CVE-2015-5327. It affects kernels from 4.3-rc1 onwards. Fix the X.509 time validation to use month number-1 when looking up the number of days in that month. Also put the month number validation before doing the lookup so as not to risk

Re: [PATCH] X.509: Fix the time validation [ver #3]

2015-12-10 Thread Greg Kroah-Hartman
On Thu, Dec 10, 2015 at 07:00:46PM +0100, Alexander Holler wrote: > Am 10.12.2015 um 16:34 schrieb Alexander Holler: > >Am 10.12.2015 um 16:26 schrieb Greg Kroah-Hartman: > >>On Thu, Dec 10, 2015 at 04:15:22PM +0100, Alexander Holler wrote: > > > >>>Just in case of, I would suggest to quickly push

Re: [PATCH] X.509: Fix the time validation [ver #3]

2015-12-10 Thread Alexander Holler
Am 10.12.2015 um 19:09 schrieb Greg Kroah-Hartman: We already have one other report of this problem hitting them. I've now released 4.3.2-rc1, with a "quick" review period of 24 hours before I release 4.3.2 with just this fix. If you could verify I didn't mess anything up I would appreciate

Re: [PATCH] X.509: Fix the time validation [ver #3]

2015-12-10 Thread Alexander Holler
Am 10.12.2015 um 16:34 schrieb Alexander Holler: Am 10.12.2015 um 16:26 schrieb Greg Kroah-Hartman: On Thu, Dec 10, 2015 at 04:15:22PM +0100, Alexander Holler wrote: Just in case of, I would suggest to quickly push out 4.3.2 (only 4.3 seems to be affected) which contains at least the patch

Re: [PATCH] X.509: Fix the time validation [ver #3]

2015-12-10 Thread Alexander Holler
Am 10.12.2015 um 16:26 schrieb Greg Kroah-Hartman: On Thu, Dec 10, 2015 at 04:15:22PM +0100, Alexander Holler wrote: Just in case of, I would suggest to quickly push out 4.3.2 (only 4.3 seems to be affected) which contains at least the patch mentioned in the subject

Re: [PATCH] X.509: Fix the time validation [ver #3]

2015-12-10 Thread Alexander Holler
Am 10.12.2015 um 10:23 schrieb Alexander Holler: Am 12.11.2015 um 12:38 schrieb David Howells: This fixes CVE-2015-5327. It affects kernels from 4.3-rc1 onwards. Fix the X.509 time validation to use month number-1 when looking up the number of days in that month. Also put the month number

Re: [PATCH] X.509: Fix the time validation [ver #3]

2015-12-10 Thread Greg Kroah-Hartman
On Thu, Dec 10, 2015 at 04:15:22PM +0100, Alexander Holler wrote: > Am 10.12.2015 um 10:23 schrieb Alexander Holler: > >Am 12.11.2015 um 12:38 schrieb David Howells: > >>This fixes CVE-2015-5327. It affects kernels from 4.3-rc1 onwards. > >> > >>Fix the X.509 time validation to use month number-1

[PATCH] X.509: Fix the time validation [ver #3]

2015-11-12 Thread David Howells
This fixes CVE-2015-5327. It affects kernels from 4.3-rc1 onwards. Fix the X.509 time validation to use month number-1 when looking up the number of days in that month. Also put the month number validation before doing the lookup so as not to risk overrunning the array. This can be tested by