oss-sec mailing list archives
Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code
From: Solar Designer <solar () openwall com>
Date: Tue, 7 Oct 2014 14:43:43 +0400
On Tue, Oct 07, 2014 at 09:05:40AM +0000, mancha wrote:
it would help if you'd clarify your position more explicitely.
I recognize that embargoes are not necessarily beneficial overall and they have clear drawbacks and may be unfair to some (hence my easy adoption of the opponents' term "selective disclosure" despite of its negative connotation), yet I think that sometimes they are in fact beneficial overall, and I have little or no control over whether they are imposed by the reporter of an issue. For now, I intend to continue hosting the distros list as a tool to facilitate safer handling and discussion of embargoed issues between representatives of the (selected) distros. I suggest and ask that existing members of the distros list try to volunteer extra time to review proposed patches and the software being patched for possible related flaws. I doubt that this suggestion and request will change things much, but it "costs" nothing in terms of extra risks or slippery slopes (which would be a concern if we start adding non-distro security researchers to the list), so we have nothing to lose by asking. In case of Shellshock, there wasn't a clear enough opportunity for distros list members to change how the vulnerability would be fixed pre-disclosure, but I mean the above in general. A related aspect is that the distros list is currently specified as being intended for medium overall severity issues. The rationale behind this is that low severity issues don't need embargoes, and high severity issues are worthy of special handling where they are to be disclosed to affected distros only rather than to all at once. I think it's the latter aspect which correctly prompted Florian to post just a heads-up to the distros list, requiring that affected distros who actually intend to work on the issue within the allotted 2 days actively request the information. Unfortunately, this approach, while safer against leaks, precludes pre-disclosure reviews by distros who do not feel they require to patch the issue for themselves before it becomes public. Maybe this implies that those distros' representatives would not care to review the patch anyway, or maybe not. Possibly more importantly, it precludes discussion of high severity issues between distros on the distros list, if those issues were (correctly) only announced in the form of heads-up messages requiring direct contact for detail. I think an exception needs to be made to encourage discussion of high severity issues taking advantage of the distros list PGP-re-encryption when that is expected to be beneficial, although unfortunately that is hard to know in advance. Alexander
Current thread:
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code, (continued)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code David A. Wheeler (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Kurt Seifried (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 06)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 06)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code mancha (Oct 06)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 07)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code mancha (Oct 07)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 07)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Chet Ramey (Oct 07)
- Re: Aftershock (was: Shellshocker - Repository of "Shellshock" Proof of Concept Code) mancha (Oct 08)
- Re: Aftershock Chet Ramey (Oct 09)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 07)