‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, 13 November 2019 г., 4:37, Timothy Pearson <tpearson@xxxxxxxxxxxxxxxxxxxxx> wrote: > I was recently informed on #btrfs that simply attaching a device with the same UUID as an active BTRFS filesystem to a system would cause silent corruption of the active disk. BTRFS has two UUIDs: the "UUID" and "UUID_SUB". > Two questions, since this seems like a fairly serious and potentially CVE-worthy bug (trivial case would seem to be a USB thumbdrive with a purposeful UUID collision used to quietly corrupt data on a system that is otherwise secured): Are you from security area? These people seem to be desperate in finding real security holes so they try to present any software error as a CVE. For example, they tried to present initrd pass through to root console [1] or systemd lauching a service with root permissions as a CVE [2]. Regarding this btrfs uuid issue - the data will be silently corrupted, but this "CVE" would require physical access to machine (like in initrd case). Besides, this issue is known for a long time. Bad news, no one will earn a CVE badge for reporting this issue. Security trolls should find hope somewhere else. [1] https://www.cvedetails.com/cve/CVE-2016-4484/ [2] https://www.securityweek.com/linux-systemd-gives-root-privileges-invalid-usernames
