oss-sec mailing list archives
Re: CVE request - Linux kernel: VFAT slab-based buffer overflow
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Wed, 27 Feb 2013 11:46:01 -0800
On 02/27/2013 11:26 AM, Jason A. Donenfeld wrote:
"If you see something, say something."
I'd love it if it were this simple, but it's not. It's work. Look at the examples of good security reports on this list (e.g. ones that were issued CVEs with no extra discussion needed). These reports require thoughtful analysis, testing, and a good sense of what the tradeoffs are for making the fixes. this takes time (and skill). Sometimes all the work and analysis leads to a conclusion that the failure was not actually exploitable in any significant way. And not every fix has obvious security implications -- some only become apparent after the investigative work is done. Some fixes are simple, fixing them has no obvious side effects, and there is clear evidence not fixing it could lead to an exploit. You could even argue that the issue that started this thread is one of them (though i haven't spent enough time to understand it well enough to know if that's the case). If *every* bug fix were reported to oss-security without this work, as something like "i'm not sure, but this might be security-related", then this list would drown in noise (the NYC MTA's supposed anti-terrorism campaign suffers this same flaw, btw). So, we have a culture of asking people to report security flaws only after doing some level of work to ensure that the report is correct and understood. We have to acknowledge that this is extra work, and not everyone has the time (or skill) to do it properly. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow, (continued)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Jason A. Donenfeld (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Greg KH (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Tim (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Greg KH (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Jiri Kosina (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Greg KH (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Jiri Kosina (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Yves-Alexis Perez (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Jiri Kosina (Feb 28)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Jason A. Donenfeld (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Daniel Kahn Gillmor (Feb 27)
- Re: CVE request - Linux kernel: VFAT slab-based buffer overflow Kurt Seifried (Feb 26)