Re: handling of Linux kernel vulnerabilities (was: CVE request - Linux kernel: VFAT slab-based buffer overflow)

[Greg KH <greg () kroah com>]

On Mon, Mar 04, 2013 at 10:12:56PM +0100, Eric Lacombe wrote:
> Hi,
>
> Le lundi 4 mars 2013 11:48:58, Greg KH a écrit :
> > On Sun, Mar 03, 2013 at 10:39:30PM -0500, Michael Gilbert wrote:
> > > I was getting encouraged by the recent anger-centric posts, the "what
> > > is it that we're supposed to do better?" ones. That gave me some
> > > encouragement that there was the possibility of positive change, but
> > > the "we're not going to make users more unsafe by telling them about
> > > issues affecting them" is a persistence of the denial state.  That
> > > logic completely violates the known idiom that knowledge is power:
> > > give users the knowledge that they need to protect themselves, and
> > > they will; starve them of that knowledge, and they remain vulnerable.
> >
> > That's a load of crap.
> >
> > Seriously, you know it only benefits the "bad guys" if I were to say,
> > "This patch just went into Linus's tree that fixes a security problem
> > that you can exploit in this manner".  No user would have a chance to
> > fix their systems before the vulnerability was added to the
> > "ultra-sploit" tool and everyone would have their systems trashed.
>
> I think there's a difference between disclosing the vulnerability and 
> disclosing it with a related exploit. The first one allows to fulfill what 
> Michael Gilbert explains without the consequences that you focus on.

You really think there is a difference?  I assert that there is none,
and history has shown that this is the case, but feel free to prove me
wrong.

> And as Michael Gilbert insisted on, I deeply think that the asymmetry of the 
> problem should be taken into account for defining the way of dealing with 
> security flaws.

Then why do we even have the linux-distros list at all?

greg k-h