ACK/Cmnt: [SRU][F][PATCH 0/1] CVE-2025-37782
Stefan Bader
stefan.bader at canonical.com
Fri May 23 09:35:12 UTC 2025
On 23.05.25 00:58, Cengiz Can wrote:
> https://ubuntu.com/security/CVE-2025-37782
>
> [ Impact ]
>
> Attila Szász discovered that the HFS+ file system implementation in the Linux
> Kernel contained a heap overflow vulnerability. An attacker could use a
> specially crafted file system image that, when mounted, could cause a denial of
> service (system crash) or possibly execute arbitrary code.
>
> [ Fix ]
>
> SAUCE patch is getting replaced with upstream commit instead.
>
> Trusty: cherry picked from upstream
> Xenial: cherry picked from upstream
> Bionic: cherry picked from upstream
> Focal: cherry picked from upstream
>
> Jammy: will receive from stable updates
> Noble: will receive from stable updates
> Oracular: will receive from stable updates
>
> [ Test Plan ]
>
> Compile tested only.
>
> [ Where Problems Could Occur ]
>
> Users that mount legacy Apple HFS+ drives might encounter warnings.
>
>
Not sure anybody cares either way but just for consideration: maybe this
kind of fixup should be handled by a tracking bug report instead of
using the CVE number. My reasoning would be that we consider the CVE
fixed before and after and without tracking bug report there is no way
to track whether the update went out.
Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 47863 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250523/aecf7a37/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250523/aecf7a37/attachment-0001.sig>
More information about the kernel-team
mailing list