Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 27 Jan 2015 23:49:48 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Qualys Security Advisory <qsa@...lys.com>
Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

On Tue, Jan 27, 2015 at 09:21:32AM -0800, Michal Zalewski wrote:
> I find it... profoundly disappointing... that we get to learn about
> 0-days via PR agency leaks (or that external PR agencies get to know
> about 0-days before the rest of the world - hey, sounds like a juicy
> target).
> 
> That said, the advisory makes up for it...

Michal has just made this blog post, which I guess he's too shy to
advertise in here, but I will:

http://lcamtuf.blogspot.com/2015/01/technical-analysis-of-qualys-ghost.html

He found out that apparently the ghost image appeared on the Qualys
website on October 2.  I've just downloaded the image as well, and I
confirm that this is what the server reports as the file's timestamp.
While it's not surprising that thorough vulnerability analysis, with a
lot of other pieces of software considered, could be taking a long time
(and a lot of effort), the 3+ month delay (is it for real?) is worrying.
Maybe many of us would have preferred the balance between
pre-publication analysis vs. delay adjusted differently.  Maybe we
would have preferred the company handling this sort of discovery not
spend time thinking of a fancy name and logo, focusing on speedier
vulnerability handling instead.  On the bright side, I guess this
name/logo thing did not take up the technical folks' time, so was
unlikely a cause of the delay (but the thorough analysis most certainly
was, which has pros and cons to us).  Another aspect is that compared to
the delay since the issue was silently fixed in upstream glibc, the
extra 3+ months are not that bad (as weird as it sounds).

A related concern is that if the timestamp on the image file reflects
when work on preparing the web page right on the public-facing web
server started, then some info on the vulnerability (whatever info that
web page has, or had at the time) may have been subject to extra risk
(via a possible web server compromise, or a compromise of related
systems - such as those holding web server backups, and those used to
edit web content).  This is not certain, though (the file may have been
copied from another machine along with its timestamp at a later time,
much closer to the public disclosure date).

The GHOST name was not yet in the (almost final) advisory draft sent to
the linux-distros list on January 18, nor was there any other name for
this vulnerability in there.  So it appeared to be an afterthought to me
when I learned of this name earlier today.  But perhaps it was not.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.