oss-sec mailing list archives
Re: Qualys Security Advisory - The Stack Clash
From: Solar Designer <solar () openwall com>
Date: Wed, 21 Jun 2017 15:57:27 +0200
On Wed, Jun 21, 2017 at 08:25:26AM -0400, Brad Spengler wrote:
Finally, one thing I noted was missing from Solar's timeline is that on May 18th, the day after the private distros list was notified with details, this commit appeared in public: https://github.com/openbsd/src/commit/4ed6bfeac112229466414b94cdbd983fb8017796
IIRC, they also committed a relevant fix to their qsort().
OpenBSD publishing this commit, in combination with Solar making repeated mentions here on oss-sec about a cross-OS issue being worked on was enough for me to know that the underlying issue being discussed was what we had widely discussed publicly in 2010 on LWN and elsewhere. What's the official explanation for this, and is any action being taken for what I assume is a member of the private list breaking the embargo?
OpenBSD isn't a member of the distros list - they were notified by Qualys separately. This matter was discussed, and some folks were unhappy about OpenBSD's action, but in the end it was decided that since, as you correctly say, the underlying issue was already publicly known, OpenBSD's commits don't change things much. Sure this draws renewed attention to the problem, but probably not to the extent and in the many specific ways the Qualys findings cover. So it was decided to keep the embargo on the detail. Ditto for the "move mmap_area and PIE binaries away from the stack" patch series posted to LKML and CC'ed to kernel-hardening on June 2: http://www.openwall.com/lists/kernel-hardening/2017/06/02/ which might have been inspired by Qualys work known to Red Hat engineers internally. A difference is that Red Hat is a member of the distros list. I brought this up on the distros list, and another Red Hat person said "We'll deal with this internally." Given the circumstances, I find this response satisfactory. I am far more concerned about the total embargo duration here than about these two semi-leaks. Alexander
Current thread:
- Re: Qualys Security Advisory - The Stack Clash, (continued)
- Re: Qualys Security Advisory - The Stack Clash Josh Bressers (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Solar Designer (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Stuart Henderson (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash kseifried () redhat com (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Qualys Security Advisory (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Jeff Law (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Daniel Micay (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Florian Weimer (Jun 22)
- Re: Qualys Security Advisory - The Stack Clash Brad Spengler (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Solar Designer (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Daniel Micay (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Brad Spengler (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Mike O'Connor (Jun 22)
- Re: Qualys Security Advisory - The Stack Clash Solar Designer (Jun 24)
- Re: Qualys Security Advisory - The Stack Clash Jeff Law (Jun 23)
- Re: Qualys Security Advisory - The Stack Clash Kurt Seifried (Jun 23)
- Re: Qualys Security Advisory - The Stack Clash Solar Designer (Jun 24)
- Re: Qualys Security Advisory - The Stack Clash PaX Team (Jun 21)