oss-sec mailing list archives
Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)
From: Solar Designer <solar () openwall com>
Date: Wed, 28 Jan 2015 05:18:42 +0300
On Tue, Jan 27, 2015 at 05:45:17PM -0800, Qualys Security Advisory wrote:
On Tue, Jan 27, 2015 at 08:45:12PM +0300, Solar Designer wrote:He found out that apparently the ghost image appeared on the Qualys website on October 2.What?! No idea where this image came from, who created it, or why, or when. What is absolutely certain is that October 2 has nothing to do with this bug, simply because the first time someone here had the idea of calling it "GHOST" was on Friday evening! Yes, Friday, January 23, 2015!
Great. Then I suppose this was a pre-existing stock image with that date, and someone found and re-used it later for this purpose preserving its older (unrelated) timestamp. Sounds like a plausible guess.
Please please please, less pointless bickering, more code auditing.
I agree, but I think this is not bickering, but rather reflections on modern vulnerability handling processes. This is not about blame, at least not for me. Vulnerabilities with names and logos are a fairly recent trend, although use of vulnerabilities for PR isn't new (many if not most of us are doing it to a varying extent, often with the noble goal of being able to do more work like this; that's OK). We're trying to figure out whether this has drawbacks, which ones, how bad (or not) they are, and how we can do better (or motivate others to do better). By demonstrating that your company did not sit on this for too long you'd provide a good example to others. And by discussing these aspects we demonstrate that we care about disclosure timelines. And, one thing I regret I did not suggest to you to add to the advisory is a timeline. I have no idea what it looked like prior to the point when you contacted me earlier this month. Finally, let me state that I find the quality and extent of your analysis impressive, and that it really helps. Thank you! Alexander
Current thread:
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235), (continued)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Solar Designer (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Pierre Schweitzer (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Michal Zalewski (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Solar Designer (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) endrazine (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Qualys Security Advisory (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) endrazine (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Jonathan Brossard (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Qualys Security Advisory (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Pierre Schweitzer (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Solar Designer (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Qualys Security Advisory (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Solar Designer (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Solar Designer (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Florian Weimer (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Filip Palian (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Huzaifa Sidhpurwala (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) cve-assign (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Florian Weimer (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Huzaifa Sidhpurwala (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Kurt Seifried (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) cve-assign (Jan 29)