oss-sec mailing list archives

Re: Qualys Security Advisory - The Stack Clash

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 23 Jun 2017 08:02:36 -0600

On 2017-06-23 7:56 AM, Jeff Law wrote:

On 06/21/2017 03:27 PM, Brad Spengler wrote:

OpenBSD isn't a member of the distros list - they were notified by
Qualys separately.  This matter was discussed, and some folks were
unhappy about OpenBSD's action, but in the end it was decided that
since, as you correctly say, the underlying issue was already publicly
known, OpenBSD's commits don't change things much.  Sure this draws
renewed attention to the problem, but probably not to the extent and in
the many specific ways the Qualys findings cover.  So it was decided to
keep the embargo on the detail.

Thank you for clarifying that, my assumption was indeed wrong then.

Still, if OpenBSD was able to resolve the issues necessary after 
notification without leaking full details to the public, shouldn't 
this have been possible for the other projects without an embargo, 
let alone an extended one?

I  really doubt it for GCC for a variety of reasons.  Hell, I doubt I
could have gotten even a good discussion going about the problems with
-fstack-check without the details of the embargo'd CVE.

Even if I was able to get interest from other key GCC contributors, the
level of detail I'd have to disclose to those key contributors to make
progress would likely have violated the embargo.

Perhaps part of the difference is OpenBSD can move fairly independently
while something like GCC requires larger scale coordination and public
discussion.

Jeff

OpenBSD made changes to the then known qsort() issue, and implemented
what was then thought to be the solution to the stack guard issue, the 1
megabyte guard pages. Subsequent discussion (without OpenBSD present,
due to them breaking the embargo) took place and as you know we ended up
with some pretty significant changes to glibc (I don't know if OpenBSD
has picked this group of fixes up or not).

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com

Current thread:

Re: Qualys Security Advisory - The Stack Clash, (continued)
- - - Re: Qualys Security Advisory - The Stack Clash Daniel Micay (Jun 21)
    - Re: Qualys Security Advisory - The Stack Clash Florian Weimer (Jun 22)
- Re: Qualys Security Advisory - The Stack Clash Agostino Sarubbo (Jun 21)
  - Re: Qualys Security Advisory - The Stack Clash Brad Spengler (Jun 21)
    - Re: Qualys Security Advisory - The Stack Clash Solar Designer (Jun 21)
    - Re: Qualys Security Advisory - The Stack Clash Daniel Micay (Jun 21)
    - Re: Qualys Security Advisory - The Stack Clash Brad Spengler (Jun 21)
    - Re: Qualys Security Advisory - The Stack Clash Mike O'Connor (Jun 22)
    - Re: Qualys Security Advisory - The Stack Clash Solar Designer (Jun 24)
    - Re: Qualys Security Advisory - The Stack Clash Jeff Law (Jun 23)
    - Re: Qualys Security Advisory - The Stack Clash Kurt Seifried (Jun 23)
    - Re: Qualys Security Advisory - The Stack Clash Solar Designer (Jun 24)
    - Re: Qualys Security Advisory - The Stack Clash Qualys Security Advisory (Jun 21)
  - Re: Qualys Security Advisory - The Stack Clash Jeff Law (Jun 21)
    - Re: Qualys Security Advisory - The Stack Clash PaX Team (Jun 21)
    - Re: Qualys Security Advisory - The Stack Clash Jeff Law (Jun 21)