Dailydave mailing list archives
Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1)
From: Steve Grubb <sgrubb () redhat com>
Date: Sun, 12 Nov 2006 10:30:34 -0500
On Saturday 11 November 2006 16:46, L.M.H wrote:
OK, enough FUD already.
First let's say that FUD is the wrong word to use here. You are the one spreading FUD. Dave is not causing panic or a sense of "oh shit". He is merely point out the obvious...you have to either have privileges to perform mount or physical access to the machine. If all these are is DoS and you have physical access, why not just yank the power cord? Until an exploit is written, these are just DoS crashes.
There's something that strikes me, why a bug 'with no security implications' is marked as private to Red Hat employees?
Because that is the responsible thing to do. If a bug is not assessed that could be a security issue, it should be private until a determination has been made one way or another. This also brings up the point that you are posting bugs I found to the MoKB as if you found them and not giving me credit. This also goes for the squash double free (which the kernel catches) and the ext3 softlock up - both of which were in bugzilla a while back. There are also bugs filed for hfs and gfs2 - which simply crash the system. These bugs do need to be fixed based on robustness criteria not necessarily security criteria. It is normal for people to have a disk crash and want to mount the corrupted disk in effort to salvage what they can. This is the main reason these bugs need to be fixed. If you have root to do mounting, there are so many ways to crash your own machine. The need to make file systems more robust is the reason that I worked on fsfuzzer with you. If you have physical access to a machine, you can put your favorite distro in the CD-Rom tray and install anything you want on the system. So, no I do not believe this falls into security fixes because there are easier ways to compromise a box if you are root or have physical access. -Steve PS the above is not FUD since I'm not spreading fear. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) L . M . H (Nov 11)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) PERFECT . MATERIAL (Nov 11)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) L . M . H (Nov 11)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Steve Grubb (Nov 12)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Gadi Evron (Nov 12)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Steve Grubb (Nov 12)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) L . M . H (Nov 13)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Steve Grubb (Nov 17)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) L . M . H (Nov 17)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Gadi Evron (Nov 12)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) PERFECT . MATERIAL (Nov 11)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Steve Grubb (Nov 12)