oss-security February 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE request: kernel: btrfs heap

Re: [oss-security] CVE request: kernel: btrfs heap overflow

From: Steven M. Christey <coley_at_nospam>
Date: Thu Feb 10 2011 - 15:13:57 GMT
To: oss-security@lists.openwall.com

The Linux kernel (and open source in general) can be unusual because,
ideally, you only want CVEs assigned for "published" code that has some
chance of being used in somebody's network. The OSS model more-or-less
means that all code is public. In the ancient days of early CVE, we
considered excluding code that was only in beta, but then you had software
with extremely large user bases (sometimes in the millions) that were in
permanent "beta," and that still happens today.

Add on the rapidly-changing nature of the Linux kernel and the fact that
so many different versions are used in so many distros and other
environments, and the amount of research that the distros seem to have to
conduct to figure out if their local kernel version is affected or not,
and the impossibility of an outsider (CVE) having full knowledge of which
code is being used where, means that CVE assignment even for release
candidates is a reasonable thing to do (the analytical expense of studying
the kernel, affected versions, and related distributions is just too high
- creating a CVE for a reported issue is much less expensive).

- Steve