On Thu, Nov 03, 2022 at 04:22:58PM +0100, Marek Vasut wrote: > On 11/3/22 05:07, Venkatesh Yadav Abbarapu wrote: > > DFU implementation does not bound the length field in USB > > DFU download setup packets, and it does not verify that > > the transfer direction. Fixing the length and transfer > > direction. > > > > CVE-2022-2347 > > +CC Tom > > Reading through https://seclists.org/oss-sec/2022/q3/41 the disclosure > timeline at the end, I am really sad that this only reached me (as the USB > maintainer) now in this form. > > Maybe there should be some dedicated advertised ML for these things ?
A doc/develop/security.rst would be good to have in hopes of getting the initial inquiries out correctly (I see this one went to several wrong places). My strong preference is to disclose things in public first as it's unlikely malicious actors don't already know about an issue. I don't want a list for the cases where that's not possible for other reasons, but I'm fine with (continuing) to be the primary point of contact for issues. > > Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbar...@amd.com> > > Reviewed-by: Marek Vasut <ma...@denx.de> > > Tom, please pick this directly soon. I see some other USB patches outstanding as well atm, I can grab this all the same but do you want to make a USB PR with this and a few others? -- Tom
signature.asc
Description: PGP signature
