oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access

From: Shachar Raindel <raindel () mellanox com>
Date: Thu, 2 Apr 2015 16:39:05 +0000



-----Original Message-----
From: Roland Dreier [mailto:roland () purestorage com]
Sent: Thursday, April 02, 2015 7:33 PM
To: Shachar Raindel
Cc: oss-security () lists openwall com; <linux-rdma () vger kernel org>
(linux-rdma () vger kernel org); stable () vger kernel org
Subject: Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected
physical memory access

On Thu, Apr 2, 2015 at 12:52 AM, Shachar Raindel <raindel () mellanox com>
wrote:

This is a common practice in the security industry, called
"responsible disclosure."

Following the kernel  security bugs policy [1], we reported it to
the kernel security contacts few days before making the issue public.
Few days after issue became public, we published a clear report to all
of the relevant mailing lists.


Isn't the point of responsible disclosure to delay disclosure until a
fix is in place?  What's the point of sending a notification to the
kernel security team if you're going to disclose publicly before the
upstream kernel is fixed?



We delayed the disclosure until most major Linux vendors released a fix for
the issue, give or take in synchronization.

The Linux security contact list only guarantee secrecy for 7 days. We
therefore contacted them only close to the date at which fixes were going to
be released, to follow their expectations for period of time between contact
and public disclosure.

Thanks,
--Shachar
Previous By Date Next
Previous By Thread Next

Current thread: