oss-sec mailing list archives
Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser
From: Qualys Security Advisory <qsa () qualys com>
Date: Fri, 31 Jul 2015 01:51:01 -0700
Hello, this is one last post to an otherwise-closed sub-thread (with the list moderators' approval): our intention is not to re-open this thread, but to address some of the questions that were raised, and to emphasize a few important facts. On Thu, Jul 23, 2015, Leif Nixon wrote:
*Why* are you releasing a full exploit just minutes after the patch is released?
First, this was just another local userland exploit, and local userland exploits are usually published at the same time as their corresponding patches and advisories: http://www.openwall.com/lists/oss-security/2015/03/26/1 http://www.openwall.com/lists/oss-security/2015/04/14/4 http://www.openwall.com/lists/oss-security/2015/04/22/12 http://www.openwall.com/lists/oss-security/2015/05/21/9 http://www.openwall.com/lists/oss-security/2015/05/21/10 http://www.openwall.com/lists/oss-security/2015/06/16/2 Second, the libuser bugs are no complicated memory-corruption bugs (no ROP-chain or ASLR-bypass is needed): an exploit for the common case can be written in well under an hour (roothelper.c is complicated only because it handles all corner cases). Third, the userhelper binary is NOT default on all Red-Hat-based distros, but the chfn binary IS, which is why we purposely chose to release our userhelper exploit, but NOT our chfn exploit. On Fri, Jul 24, 2015, Stephan Wiesand wrote:
Wild guess: Their customers had plenty of time to understand the issue and its impact, and to roll out either a fix or some mitigation. And thus an edge. Looks like "just business...".
We are not into that kind of business: the reason we internally audit open-source code at Qualys is that it allows us to make our products and infrastructure more secure, and it is a great way to contribute to the open-source community. When we contacted Red Hat about the libuser vulnerabilities, we sent them both our advisory and our exploit, and they promptly replied with two CVEs and patches for us to review. We would like to thank Red Hat's Security Response Team and developers for giving us the opportunity to review the patches while they were being written, because the end-result greatly benefited from this cooperation. As for why Red Hat published their updates and patches one hour after the Coordinated Release Date (and we published our advisory even later than that), Kurt Seifried already answered this here: http://www.openwall.com/lists/oss-security/2015/07/24/3 With best regards, -- the Qualys Security Advisory team
Current thread:
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser, (continued)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Hanno Böck (Jul 26)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brandon Perry (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 27)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Ankeet Presswala (Jul 27)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser z80 (Jul 29)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Solar Designer (Jul 29)