Full Disclosure mailing list archives
Re: Linux's unofficial security-through-coverup policy
From: Valdis.Kletnieks () vt edu
Date: Wed, 16 Jul 2008 16:06:57 -0400
On Wed, 16 Jul 2008 09:44:37 EDT, Brad Spengler said:
To illustrate the point, in the 2.6.25.10 kernel, the following fix was
included with the commit message of:
Roland McGrath (1):
x86_64 ptrace: fix sys32_ptrace task_struct leak
The kernel was released with no mention of security vulnerabilities in
the announcement, only "assorted bugfixes".
Put simply, it only took about an hour or so to develop a PoC for this
exploitable vulnerability which affects 64bit x86_64 kernels since
January.
So tell me Brad - if Roland fixed a bug, *and didn't even realize it was a security-exploitable* issue, how do you propose we proceed? Do you suggest that we stop and look at *every single commit* that fixes a bug, and see if there's some corner case that makes it exploitable? (Hint - I suggest you go look at the number of git commits done during the average -rc1 kernel lately, and figure out where the manpower will come from). Or go trawling through the linux-kernel archives, and see how many times I've reported an Oops or panic or hang (the answer is "so many I've lost count"). Yes, I probably should have (in your world) gotten some big splashy "security advisory" out. But you know what? *IT* *DOESN'T* *ACTUALLY* *MATTER* *IN* *THE* *REAL* *WORLD*. Just yesterday, I was talking on IRC to a rather clued individual, who was still running 2.6.18 or so - because he had mission-critical custom patches that hadn't been migrated to 2.6.25 yet. And that's the *clued* user. The *average* user, even a non-Windows one, wouldn't know how to correctly deal with a security advisory unless it bit them on the ass. Literally. The vast majority of them simply install updates when they show up from their distro. They don't know how to build their own kernel, they can't analyze the threat model coherently, so it basically changes into "I'll install it when it shows up in the GUI window of my distro's patch manager". The percentage of users that a more detailed bug announcement would actually help is probably on the order of 0.05% or so. The *other* 99.95% of them, it's "A new update is available. Install? ( ) Yes ( ) No". OK, so we do Linux bugfix announcements the way *you* recommend. Now suggest something *workable* for the *other* 99.95% that will *still* be vulnerable.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Linux's unofficial security-through-coverup policy Brad Spengler (Jul 16)
- Re: Linux's unofficial security-through-coverup policy M. Shirk (Jul 16)
- Re: Linux's unofficial security-through-coverup policy Robert Peaslee (Jul 16)
- Re: Linux's unofficial security-through-coverup policy Valdis . Kletnieks (Jul 16)
- Re: Linux's unofficial security-through-coverup policy Brad Spengler (Jul 16)
- Re: [Dailydave] Linux's unofficial security-through-coverup policy Blue Boar (Jul 17)
- Re: [Dailydave] Linux's unofficial security-through-coverup policy staff (Jul 17)
- Re: [Dailydave] Linux's unofficial security-through-coverup policy Joel Jose (Jul 18)
- Re: [Dailydave] Linux's unofficial security-through-coverup policy Valdis . Kletnieks (Jul 18)
- Re: [Dailydave] Linux's unofficial security-through-coverup policy Joel Jose (Jul 18)
- Re: Linux's unofficial security-through-coverup policy Brad Spengler (Jul 16)
- Re: Linux's unofficial security-through-coverup policy Brad Spengler (Jul 16)
- Re: Linux's unofficial security-through-coveruppolicy Garrett Groff (Jul 16)
- Re: [Dailydave] Linux's unofficial security-through-coverup policy Dave Aitel (Jul 17)