Full Disclosure mailing list archives
Re: Mr. Magorium's Wunderbar Emporium
From: Valdis.Kletnieks () vt edu
Date: Fri, 14 Aug 2009 16:49:13 -0400
On Fri, 14 Aug 2009 14:53:06 EDT, Brad Spengler said:
"Congrats" Linus on screwing over all the vendors and every Linux user by forcing disclosure of the bug before vendors could ship out updated kernels. Your patch applies well to their binary packages.
Poor Linus can't catch a break. Just like 3 weeks ago some guy named Brad Spengler was ripping him a new one: "(Really there should have been a CVE for the lack of -fno-delete-null-pointer-checks instead of pretending the only problem was /dev/net/tun. As the commit to add it showed (and at least 10 other commits to the kernel this weekend) lots of other code was affected, so someone not applying a fix for a CVE mentioning only /dev/net/tun because they don't have the code for /dev/net/tun compiled in, is going to be missing out on a number of fixes)." Of course, getting a CVE for that issue would have forced disclosure of the bug too, quite possibly before the vendors were ready to ship updated kernels. In general, you *can't* have both "flag fixes as security issues right up front before vendors have a chance to backport" and "don't screw over the vendors and users". So how do you suggest that Linus could have handled this in a manner that didn't screw over vendors and users? Out of curiosity, did *you* did your due diligence and didn't release that exploit until you had verified that all the vendors had updated kernels ready to ship? :)
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Mr. Magorium's Wunderbar Emporium Brad Spengler (Aug 14)
- Re: Mr. Magorium's Wunderbar Emporium Valdis . Kletnieks (Aug 14)
- Re: Mr. Magorium's Wunderbar Emporium security curmudgeon (Aug 15)
- Re: Mr. Magorium's Wunderbar Emporium Valdis . Kletnieks (Aug 15)
- Re: Mr. Magorium's Wunderbar Emporium Valdis' Mustache (Aug 16)
- Re: Mr. Magorium's Wunderbar Emporium security curmudgeon (Aug 15)
- Re: Mr. Magorium's Wunderbar Emporium Pavel Kankovsky (Aug 15)
- Re: Mr. Magorium's Wunderbar Emporium Valdis . Kletnieks (Aug 14)