Bugtraq mailing list archives
Re: OpenBSD xlock exploit
From: Theo de Raadt <deraadt () CVS OPENBSD ORG>
Date: Fri, 6 Oct 2000 13:42:09 -0600
why dont you tell people about shit like this then all this comotion can be avoided.
We did.
Like K2 said.. maybe a mention in the CHANGELOG
You mean, like how http://www.openbsd.org/plus.html contains a big fat red marker about this issue, and has since the day we fixed the bug? Or how http://www.openbsd.org/security.html#27 has a big note pointing to the errata entry? Or how about how even http://www.openbsd.org/errata.html has a big block about it, and a link to the patch file. I am sorry, but you and K2 are out of line when you say that we didn't tell the world about this. We did.
or an advisory written,
For xlock, we did not write an advisory, but it was pretty clear on bugtraq that it affected pretty much everyone. Why are you so surprised? Are you perhaps just out of touch?
instead of fixing a problem and not notifying other users of a specific security vulnerability in particular application.
When we know, or deeply suspect, that something is a security hole, we put patches out. However, when we fix a couple hundred format string bugs, we do not post a patch for everyone of them. Nor do we do all that much thinking about which ones are going to be exploitable, since we don't write exploits, and also tend to be rather busy with a whole bunch of other stuff too. You'll note that we were real sure the ftpd one was, and we did put a patch out for that. For talkd, we still don't know. We have a curses patch too for setuid/setgid programs that end up loading $HOME/.termlib when they shouldn't, since then they run into the hundreds of other potential bugs in curses. Those errata entry are going up within the hour. The chain of command did break down, I mean, I am even in Sweden and these errata should have gone out the hour that we became aware of potential things, considering fixes were written before we knew they were real security issues. We do not want to cry wolf. So, and I see this with sincere sarcasm, do you want me to post all of our patches for all of our format string fixes? I can, if you really want. Think about where bugtraq would head if we were to do that.
Current thread:
- OpenBSD xlock exploit Noir Desir (Oct 05)
- <Possible follow-ups>
- Re: OpenBSD xlock exploit lunguz (Oct 05)
- Re: OpenBSD xlock exploit Theo de Raadt (Oct 06)
- Re: OpenBSD xlock exploit Theo de Raadt (Oct 08)
- Re: OpenBSD xlock exploit Darren Reed (Oct 09)
- Re: OpenBSD xlock exploit Riley Hassell (Oct 10)