Re: CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation

[Solar Designer <solar () openwall com>]

On Fri, May 27, 2022 at 07:26:50AM -0400, Mike O'Connor wrote:
> :I think it's important to remember that closed mailing lists filled
> :with private/embargoed exploits become valuable targets. They have
> :been compromised ever since Zardoz in the 1980s, vendor-sec was
> :discontinued for the same reason. By keeping zerodays in linux-distros
> :you paint a target on every recipient of the list. You should assume
>
> Every recipient

Right.

> and their upstream providers.

Luckily, this is mostly not the case with (linux-)distros since all
messages relayed by the list are encrypted to their recipients' keys.

I say "mostly" because of possible two-stage attacks - where someone got
only temporary access to a subscriber's computer to compromise the
private key, but then targets their provider(s) for continued access to
encrypted messages.

> :that any working exploit code you share to a mailing list will
> :eventually fall into the hands of bad actors. Therefore, I don't think
> :selective full-disclosure works.
>
> Long ago, I suggested that such mailing lists should PLAN to be public
> eventually, and disclose the info themselves before someone beats them
> to it.  For example, when June comes up, April linux-distros archives
> are made public, and that's advertised and known.  Given its two week
> max embargo period, this shouldn't pose an issue for anyone.  There is
> value in (eventually) seeing the sausage being made.  I know Solar has
> made old linux-distros mailing list metadata public, has advised folks
> that "any/all list postings may be made public once the corresponding
> security issue is publicly disclosed".  I suggest "may" become "will
> eventually".

Yes, I recall you had suggested that, and it's within consideration.

Alexander