Re: Why send bugs embargoed to distros?

[Cliff Perry <cperry () redhat com>]

On 23/09/17 12:44, Hanno Böck wrote:
> Hi,
>
> A few days have passed since the optionsbleed disclosure. Some
> interesting things have surfaced, e.g. the fact that it was apparently
> discovered already in 2014, but nobody noticed it was a security bug.
>
>
> But I'd like to discuss something else:
> I had informed the distros mailing list one week earlier about the
> upcoming disclosure with a bug description and links to the already
> available patch.
> My understanding is that the purpose of the distros list is that
> updates can be prepared so after a disclosure the time between "vuln is
> known" and "patch is available" is short.
> However from all I can see this largely didn't happen.
>
> Debian+Ubuntu took more than a day after disclosure to fix. According
> to the Debian bug tracker the bug got only opened after the public
> disclosure[2]. I see no sign that any work on a fix began before the
> disclosure.
>
> If I can trust Red Hat's CVE tracker [3] there still are no fixed
> packages available. Also I haven't found any info about updated
> opensuse packages.
>
> The only distro I'm aware of that prepared packages and pushed them
> right after disclosure is Gentoo.
>
> All of this makes me wonder if the distros list serves its purpose.
>
> I'd be curious to hear:
>
> a) if any people felt that pre-disclosure of optionsbleed was helpful
> to them and in which way (after all - even if it only helps minor
> distros and major distros ignore it it may still be a good thing).
>
> b) if people think that they'd usually prepare a fixed package, however
> they didn't consider optionsbleed important enough. (Naturally I
> probably have a bias seeing my findings as more important as other
> people, but I could live with that.)
>
> c) other things?
>
>
>
> [1] https://arxiv.org/pdf/1405.2330.pdf
> https://blog.fuzzing-project.org/61-How-Optionsbleed-wasnt-found-in-2014.html
> [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876109
> [3] https://access.redhat.com/security/cve/cve-2017-9798

Hi Hanno,
The detail of your report was good quality and I'm sure appreciated by
everyone who needed to review it. I know that for Red Hat the
pre-disclosure was useful.

During analysis, like SUSE, we rated it as having a security impact of
Moderate (https://access.redhat.com/security/updates/classification);
and not highly impacting that required expedited preparation of packages
for the embargo date. Additional information is contained within the
bugzilla linked off our CVE page
(https://bugzilla.redhat.com/show_bug.cgi?id=1490344).

We look forward to working with you again in the future.

Regards,
Cliff

-- 
Senior Engineering Manager

Red Hat Product Security