oss-sec mailing list archives
Re: Qualys Security Advisory - The Stack Clash
From: Jeff Law <law () redhat com>
Date: Fri, 23 Jun 2017 07:56:30 -0600
On 06/21/2017 03:27 PM, Brad Spengler wrote:
OpenBSD isn't a member of the distros list - they were notified by Qualys separately. This matter was discussed, and some folks were unhappy about OpenBSD's action, but in the end it was decided that since, as you correctly say, the underlying issue was already publicly known, OpenBSD's commits don't change things much. Sure this draws renewed attention to the problem, but probably not to the extent and in the many specific ways the Qualys findings cover. So it was decided to keep the embargo on the detail.Thank you for clarifying that, my assumption was indeed wrong then. Still, if OpenBSD was able to resolve the issues necessary after notification without leaking full details to the public, shouldn't this have been possible for the other projects without an embargo, let alone an extended one?
I really doubt it for GCC for a variety of reasons. Hell, I doubt I could have gotten even a good discussion going about the problems with -fstack-check without the details of the embargo'd CVE. Even if I was able to get interest from other key GCC contributors, the level of detail I'd have to disclose to those key contributors to make progress would likely have violated the embargo. Perhaps part of the difference is OpenBSD can move fairly independently while something like GCC requires larger scale coordination and public discussion. Jeff
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Qualys Security Advisory - The Stack Clash, (continued)
- Re: Qualys Security Advisory - The Stack Clash Jeff Law (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Daniel Micay (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Florian Weimer (Jun 22)
- Re: Qualys Security Advisory - The Stack Clash Brad Spengler (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Solar Designer (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Daniel Micay (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Brad Spengler (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Mike O'Connor (Jun 22)
- Re: Qualys Security Advisory - The Stack Clash Solar Designer (Jun 24)
- Re: Qualys Security Advisory - The Stack Clash Jeff Law (Jun 23)
- Re: Qualys Security Advisory - The Stack Clash Kurt Seifried (Jun 23)
- Re: Qualys Security Advisory - The Stack Clash Solar Designer (Jun 24)
- Re: Qualys Security Advisory - The Stack Clash PaX Team (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Jeff Law (Jun 21)