oss-sec mailing list archives
Re: backdoor in upstream xz/liblzma leading to ssh server compromise
From: Tavis Ormandy <taviso () gmail com>
Date: Sat, 30 Mar 2024 16:30:25 -0000 (UTC)
On 2024-03-30, Marc Deslauriers wrote:
On 2024-03-30 11:37, Tavis Ormandy wrote:On 2024-03-30, Marc Deslauriers wrote:That is the problem, having more eyes on a 0-day also means more eyes from malicious entities. Neither having an embargo nor immediately posting publicly are ideal solutions. There needs to be a compromise, and while I understand and respect your point of view, I don't think we'll ever see eye-to-eye on what the acceptable compromise should be.Yeah, but your acceptable compromise *must* include Canonical having advance knowledge of backdoors, correct?Not necessarily.
Okay, you could unsubscribe from distros to help make the embargo stronger? :)
For example, I don't have access to embargoed Chrome 0-days before the updates come out, and a lot of other folks don't either. Should all Chrome 0-days be public before the updates are available? Are you advocating for this?
Yes! If you have knowledge of *any* software that is backdoored or compromised or is being actively exploited with a 0day, I'm advocating -- please -- for you to make that public. This applies to literally *any* software, hardware or other product.
There are a lot of other users and organizations out there, and I think most of them also like having some agency, I know I do. If our roles were reversed -- my organization was on distros and yours was not -- do you think you would still be arguing for embargoes on backdoors?I'm not necessarily arguing for embargoes on backdoors, I'm saying that posting publicly about it before even knowing what it was would have resulted in a worse outcome. That's my opinion, you may think it's a wrong.
Yes, I think it's wrong.
Perhaps the question here is why isn't your organization on one of the multitude of places where this issue was discussed in private for a few hours, and where it was decided that this should be public?
I think maybe you're saying that if I was on the list, then I would like embargoes too! It's definitely better for the organizations on the list, no question. As you know, I was a distros and vendor-sec member for years, so I do know how they work :) Tavis. -- _o) $ lynx lock.cmpxchg8b.com /\\ _o) _o) $ finger taviso () sdf org _\_V _( ) _( ) @taviso
Current thread:
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise, (continued)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Russ Allbery (Mar 29)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marcin Wolcendorf (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Bo Anderson (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Bjoern Franke (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Pierre-Elliott Bécue (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Mats Wichmann (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jan Engelhardt (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Pat Gunn (Mar 30)
- SV: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Markus Klyver (Mar 31)