Am Mi., 21. Feb. 2024 um 16:05 Uhr schrieb Moritz Muehlenhoff <j...@inutil.org>: > > On Tue, Feb 20, 2024 at 10:11:35PM +0100, Matthias Klumpp wrote: > > The CVE page lists that commit as "patch" now, and given that emitting > > a finished transaction as finished multiple times could indeed cause > > issues (and use-after-free issues potentially as well), I am inclined > > to think that that's indeed the issue here and that the patch fixes > > it. > > Ok. > > > That would mean though that all PK versions starting from and > > including 1.2.7 are not vulnerable... But the CVE tells otherwise. > > Very odd. > > But https://www.cve.org/CVERecord?id=CVE-2024-0217 only states > "unaffected at 1.2.7", which seems to be based on the git tag of > the referenced commit?
We are all confused. Neal and I asked on the RHEL bug report again: https://bugzilla.redhat.com/show_bug.cgi?id=2256624#c6 We really need more information here. I'd read the "unaffected at 1.2.7" as version 1.2.7 and higher not having the bug... But then again, on another page it said that the respective patch only lowered the impact... I remember merging that patch, and it was a pretty good robustness improvement, we didn't talk about any use-after-free issue there though (so it's not obvious why this changes anything either). Let's see if we get a reply from the CVE reporter! Best, Matthias -- I welcome VSRE emails. See http://vsre.info/
