Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 27 Jun 2014 00:28:20 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: LMS-2014-06-16-1: Oberhumer LZO

On Thu, Jun 26, 2014 at 12:51:32PM -0600, Don A. Bailey wrote:
> This is to inform you of a security flaw in the Oberhumer LZO algorithm,
> typically packaged as liblzo2 or lzo-2. Please read the bug report inline.

Thank you for posting this and the other 5 bug reports.  I think it's
also helpful to link to your blog post:

"Raising Lazarus - The 20 Year Old Bug that Went to Mars"
http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html

Don brought these issues to the distros list at "Mon Jun 23 16:57 UTC",
and they were already being patched by some of the affected projects at
the time - thus, (semi?)-public.  We argued for a while whether it's
appropriate to wait for more of the projects to have patches ready, or
to post to oss-security and other high-visibility places right away.
Initially, I asked that the issues be posted at least to oss-security,
as per distros list policy for public disclosure, within 24 hours.
However, as we know there ended up being a 4 day delay.  While this time
wasn't "wasted" - more patches were being produced, and Yves-Alexis
Perez of Debian came up with a lengthy list of projects that have the
affected code embedded - I do acknowledge that it's a violation of the
distros list policy, and I apologize for it.

I'd appreciate guidance from the oss-security community on how to deal
with such cases going forward: the person reporting a vulnerability
willing to wait for more projects to have it patched vs. the already
(semi?)-public nature of the vulnerability via commits, etc. by some of
the projects.  Is letting the vulnerability stay in the limbo for 4 days
acceptable, or is it too much?  My initial gut feeling was "24 hours
max", which I communicated to Don and to distros list, but as we can see
actual disclosure occurred 4 days later.  (I did send a ping earlier
today, but I think the disclosure would have been today anyway.)  Should
I have pushed harder?  Should I have posted to oss-security myself (as a
BOFH list admin enforcing a policy), overriding others' preferences and
reasoning?

Yves-Alexis, can you please post that lengthy list in here?  Having it
available right away would be partial justification/excuse for the
delay in disclosing these issues appropriately. ;-)

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.