ACK/Cmnt: [SRU][F][PATCH 0/1] CVE-2025-37782
Cengiz Can
cengiz.can at canonical.com
Fri May 23 10:30:05 UTC 2025
On 23-05-25 11:35:12, Stefan Bader wrote:
> On 23.05.25 00:58, Cengiz Can wrote:
> > https://ubuntu.com/security/CVE-2025-37782
> >
> > [ Impact ]
> >
> > Attila Szász discovered that the HFS+ file system implementation in the Linux
> > Kernel contained a heap overflow vulnerability. An attacker could use a
> > specially crafted file system image that, when mounted, could cause a denial of
> > service (system crash) or possibly execute arbitrary code.
> > [ Fix ]
> > SAUCE patch is getting replaced with upstream commit instead.
> > Trusty: cherry picked from upstream
> > Xenial: cherry picked from upstream
> > Bionic: cherry picked from upstream
> > Focal: cherry picked from upstream
> > Jammy: will receive from stable updates
> > Noble: will receive from stable updates
> > Oracular: will receive from stable updates
> > [ Test Plan ]
> > Compile tested only.
> > [ Where Problems Could Occur ]
> > Users that mount legacy Apple HFS+ drives might encounter warnings.
> >
> >
>
> Not sure anybody cares either way but just for consideration: maybe this
> kind of fixup should be handled by a tracking bug report instead of using
> the CVE number. My reasoning would be that we consider the CVE fixed before
> and after and without tracking bug report there is no way to track whether
> the update went out.
You're right. We should use LP bugs next time.
This is a problematic case, because the original CVE is no longer published and
a new CVE was created with the exact same details. So we're vulnerable to the
new CVE in theory.
These patches will mark that new CVE as fixed.
Very confusing. :/
>
> Acked-by: Stefan Bader <stefan.bader at canonical.com>
More information about the kernel-team
mailing list