Bugtraq mailing list archives
Re: [linux-security] [RHSA-1999:023-01] Potential security problem in gnumeric 0.23
From: R.E.Wolff () BITWIZARD NL (Rogier Wolff)
Date: Sat, 31 Jul 1999 12:20:08 +0200
This discussion can go on endlessly. It has been fought time and time again in the past.... BUT... David Schwartz wrote:
Give people a chance to upgrade Gnumeric and I will happilly share the information with bugtraq (if someone does not read the 10 diffs in the meantime).I understand your intentions, but I don't think they makeany sense. I do not understand what do you mean. Why do you say it does not make sense to try (only try) to protect users by not disclosing the information now?
Because the way you have left things, only those most strongly motivated to determine the exploit will know it. Those most strongly motivated to determine it are those who would exploit it. And you've left the users in the dark.
You can trust me in the meantime. Hey, if you are running Gnumeric currently you are already trusting me ;-)It's not a matter of trusting you. It's a matter of having sufficient information to determine whether this exploit warrants an immediate upgrade.
If the "class" of the problem is disclosed, you should trust others on the issue. Some (like I on my single-user workstations) don't care about local -> root problems. Remote entry problems are non-issues on my standalone machines. Wether or not that information was disclosed in this case, is beside the issue. Most people are not capable of determining wether or not they are vulnerable. I tried it once: Given an exploit, about 50% of the people incorrectly report that they are not vulnerable. Many sysops seem to need to see an exploit work before they agree that they are vulnerable. So, even if the exploit is published, I expect around 50% of the "dumb" (those who insist on seeing a working exploit) sysops to try and fail at running the exploit, and then deciding not to upgrade, "Because they are not vulnerable". A lead-time of a few weeks where vendors/maintainers are notified and enabled to decide on a fix and compile new binaries is not bad. Bugs have been present for months, and the chances of many different people stumbling on the same problem in the same week are acceptably small. After the fix is released, you can count on the exploits popping up reasonably quickly. Reading the diffs isn't that hard. But a vendor/maintainer/finder does no good in releasing the exploit themselves. If upon seeing the exploit not-working on your system, you would decide not to upgrade, your system is vulnerable to the dumb-sysadmin problem. You've already left lots of holes because you weren't able to run a simple exploit. The problem is that you have to take into account that the bad guys might be smarter than you are. So even if your testing shows that the exploit doesn't work, you have to assume that the bad guys can get it to work. So wether or not you get to see the exploit work, you need to take the information at face value. Roger. -- ** R.E.Wolff () BitWizard nl ** http://www.BitWizard.nl/ ** +31-15-2137555 ** *-- BitWizard writes Linux device drivers for any device you may have! --* ------ Microsoft SELLS you Windows, Linux GIVES you the whole house ------
Current thread:
- Re: [linux-security] [RHSA-1999:023-01] Potential security problem in gnumeric 0.23 Edward S. Marshall (Jul 25)
- <Possible follow-ups>
- Re: [linux-security] [RHSA-1999:023-01] Potential security problem in gnumeric 0.23 Miguel de Icaza (Jul 29)
- Re: [linux-security] [RHSA-1999:023-01] Potential security problem in gnumeric 0.23 David Schwartz (Jul 30)
- Re: [linux-security] [RHSA-1999:023-01] Potential security problem in gnumeric 0.23 Rogier Wolff (Jul 31)
- Re: [linux-security] [RHSA-1999:023-01] Potential security problem in gnumeric 0.23 David Schwartz (Jul 30)