Re: Linux Kernel CIFS Vulnerability

["Valdis' Mustache" <security.mustachio () gmail com>]

Andrea,

Do not be alarmed! At the time of this writing, my owner is fervently
developing a response on this topic! It is a response which I have no doubt
will apply a virtual salve to all of your bugbears, and assuage other
tangential (and even unrelated) concerns as well.

Nonetheless, I feel compelled ejaculate on this topic myself - albeit
prematurely - since my response predates the presumably forthcoming warnings
soon to issue from the varied and sundry organisations who bundle the Linux
kernel distribution with their own customized versions of Tuxpaint and
SameGnome.

On to the point. I must assert that despite the sadly DeRaadtian handling of
this bug, a choice to run the Linux kernel and related software bundled with
it still remains a sound choice from a security standpoint.

This remains especially veritable if the Linux kernel in question is
improved with the addition of the excellent PageExec extensions, as
developed by an anonymous (and rumors have it, bemustached) gentleman in
Eastern Europe, and the unfortunately-named GotRoot access control and
kernel hardening modules, authored by a lovable misfit ensconced somewhere
in the bowels of a sanitarium in Maryland.

While the whims of Finns remain - as ever - unfathomable and abstruse, this
mustache stands firm as a believer that the selection of Linux is the lesser
of the four evils (BSD, Linux, Windows, and, least of all, Apple) servicably
available for my hairy computing choices.


Your Humble Servant,
A bajusz a Valdis


On Thu, Apr 9, 2009 at 9:52 AM, Andreas Bogk <andreas () andreas org> wrote:

> Thierry Zoller wrote:
> > AB> Neither the Linux kernel team, the CIFS maintainers nor any of
> > AB> the commercial Linux distributors bothered to send out an advisory.
> > AB> I'm at loss for words other than "irresponsible, arrogant
> > AB> assholes".  Linux 2009 == Microsoft 2002.
> > I  second  that,  the  reason is intersintg too; linus considers security
> > bugs  as  nothing  else than normal bugs.
>
> I don't mind his policy of "just fixing the bug".  But I do mind when
> the changelog doesn't clearly state "hey, we're fixing a security issue
> here".
>
> > The door closes slowly
> > for Linux in enterprises.
>
> So true, and so sad.  I remember a time when using Linux was giving
> actual security benefits over using Windows.  These times are over.
>
> And the security gap between MS and Open Source products will continue
> to widen.  The only OS project I know about that seriously tried to
> improve fundamental architectural security issues was BitC and CoyotOS.
> BitC is a programming language designed to combine the speed of C with
> the soundness of strongly typed fundamental languages, thus preventing a
> lot of bug classes from the start, and enabling correctness proofs
> across the code.  The project won't be finished, since the main author,
> Jonathan Shapiro, will soon hold a "fairly senior position" in the
> Midori project at MS.
>
> Andreas
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/