Dailydave mailing list archives
Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1)
From: L.M.H <lmh () info-pull com>
Date: Sun, 12 Nov 2006 19:14:41 +0100
On 11/12/06, Steve Grubb <sgrubb () redhat com> wrote:
First let's say that FUD is the wrong word to use here. You are the one spreading FUD. Dave is not causing panic or a sense of "oh shit". He is merely point out the obvious...you have to either have privileges to perform mount or physical access to the machine. If all these are is DoS and you have physical access, why not just yank the power cord?
AFAIK Fedora Core and many other 'distributions' out there let unprivileged users mount filesystems, you don't need to be root to do it. Actually, you've worked around SELinux. We were sitting right next to each other during a developer meeting, right? Well, you can let policy decide in a fine-grained manner who is capable of mounting filesystems.
Until an exploit is written, these are just DoS crashes.
Steve, that doesn't make sense. Like arguing that an over-heating problem is just a cooling problem until something burns out. Check what Ilja wrote in a comment to Dave's blog. Anyway, don't take me wrong, but I'm not here to educate yourself on security matters.
Because that is the responsible thing to do. If a bug is not assessed that could be a security issue, it should be private until a determination has been made one way or another. This also brings up the point that you are posting bugs I found to the MoKB as if you found them and not giving me credit. This also goes for the squash double free (which the kernel catches) and the ext3 softlock up - both of which were in bugzilla a while back. There are also bugs filed for hfs and gfs2 - which simply crash the system.
Right, HFS has null ptr dereference problems and a memory leak issue, probaly more issues (...). GFS2 is as well broken. On the crediting part... hmm, mind if I ask you who approached you with filesystem issues back in March? The assumption that I didn't know about the other issues before even commenting to you about them is totally flawed as well. BTW, how's that in every mention from Red Hat (as in employees, including yourself) about fsfuzzer, it appears as you're the only one, first and original, developer of fsfuzzer? Not that I care, but I find it amusing. I get all sorts of apologies over private e-mail but the public side is there to check. And I would like to know about your comment on that bugzilla entry begging for the bug to be fixed 'before the month of kernel bugs starts (nov. 1)'. The timing is what strikes me.
reason these bugs need to be fixed. If you have root to do mounting, there are so many ways to crash your own machine.
*Mounts a USB stick in FC5 as nobody* *Inserts CD, mounted* What about network-based filesystems? Too may hints already...
The need to make file systems more robust is the reason that I worked on fsfuzzer with you.
What about the Python bytecode bug? Probably not a big deal, but it's still unpatched. For over a year, I remember I sent it to you and some other people there.
If you have physical access to a machine, you can put your favorite distro in the CD-Rom tray and install anything you want on the system. So, no I do not believe this falls into security fixes because there are easier ways to compromise a box if you are root or have physical access.
You're arguing the same over and over. Worst of all, you know that you're talking BS on this, as Fedora Core (no RHEL handy to test here) let's non-privileged users mount filesystems. Automount magic. Anyway, I'll repeat myself: I'm not here to educate yourself on security matters.
PS the above is not FUD since I'm not spreading fear.
No, you're just spreading uncertainty and doubt. Cheers.
Attachment:
poc.pyc
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) L . M . H (Nov 11)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) PERFECT . MATERIAL (Nov 11)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) L . M . H (Nov 11)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Steve Grubb (Nov 12)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Gadi Evron (Nov 12)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Steve Grubb (Nov 12)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) L . M . H (Nov 13)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Steve Grubb (Nov 17)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) L . M . H (Nov 17)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Gadi Evron (Nov 12)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) PERFECT . MATERIAL (Nov 11)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Steve Grubb (Nov 12)