Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1)

[L.M.H <lmh () info-pull com>]

On 11/12/06, Steve Grubb <sgrubb () redhat com> wrote:
> First let's say that FUD is the wrong word to use here. You are the one
> spreading FUD. Dave is not causing panic or a sense of "oh shit". He is
> merely point out the obvious...you have to either have privileges to perform
> mount or physical access to the machine. If all these are is DoS and you have
> physical access, why not just yank the power cord?

AFAIK Fedora Core and many other 'distributions' out there let
unprivileged users mount filesystems, you don't need to be root to do
it. Actually, you've worked around SELinux. We were sitting right next
to each other during a developer meeting, right? Well, you can let
policy decide in a fine-grained manner who is capable of mounting
filesystems.

> Until an exploit is written, these are just DoS crashes.

Steve, that doesn't make sense. Like arguing that an over-heating
problem is just a cooling problem until something burns out. Check
what Ilja wrote in a comment to Dave's blog.

Anyway, don't take me wrong, but I'm not here to educate yourself on
security matters.


> Because that is the responsible thing to do. If a bug is not assessed that
> could be a security issue, it should be private until a determination has
> been made one way or another. This also brings up the point that you are
> posting bugs I found to the MoKB as if you found them and not giving me
> credit. This also goes for the squash double free (which the kernel catches)
> and the ext3 softlock up - both of which were in bugzilla a while back. There
> are also bugs filed for hfs and gfs2 - which simply crash the system.

Right, HFS has null ptr dereference problems and a memory leak issue,
probaly more issues (...). GFS2 is as well broken.

On the crediting part... hmm, mind if I ask you who approached you
with filesystem issues back in March?  The assumption that I didn't
know about the other issues before even commenting to you about them
is totally flawed as well.

BTW, how's that in every mention from Red Hat (as in employees,
including yourself) about fsfuzzer, it appears as you're the only one,
first and original, developer of fsfuzzer? Not that I care, but I find
it amusing. I get all sorts of apologies over private e-mail but the
public side is there to check.

And I would like to know about your comment on that bugzilla entry
begging for the bug to be fixed 'before the month of kernel bugs
starts (nov. 1)'. The timing is what strikes me.

> reason these bugs need to be fixed. If you have root to do mounting, there
> are so many ways to crash your own machine.

*Mounts a USB stick in FC5 as nobody*
*Inserts CD, mounted*

What about network-based filesystems? Too may hints already...

> The need to make file systems
> more robust is the reason that I worked on fsfuzzer with you.

What about the Python bytecode bug? Probably not a big deal, but it's
still unpatched. For over a year, I remember I sent it to you and some
other people there.

> If you have physical access to a machine, you can put your favorite distro in
> the CD-Rom tray and install anything you want on the system. So, no I do not
> believe this falls into security fixes because there are easier ways to
> compromise a box if you are root or have physical access.

You're arguing the same over and over. Worst of all, you know that
you're talking BS on this, as Fedora Core (no RHEL handy to test here)
let's non-privileged users mount filesystems. Automount magic. Anyway,
I'll repeat myself: I'm not here to educate yourself on security
matters.

> PS the above is not FUD since I'm not spreading fear.

No, you're just spreading uncertainty and doubt.

Cheers.

Attachment: poc.pyc
Description:

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave