Date: Wed, 28 Jan 2015 05:18:42 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) On Tue, Jan 27, 2015 at 05:45:17PM -0800, Qualys Security Advisory wrote: > On Tue, Jan 27, 2015 at 08:45:12PM +0300, Solar Designer wrote: > > He found out that apparently the ghost image appeared on the Qualys > > website on October 2. > > What?! No idea where this image came from, who created it, or why, or > when. What is absolutely certain is that October 2 has nothing to do > with this bug, simply because the first time someone here had the idea > of calling it "GHOST" was on Friday evening! Yes, Friday, January 23, > 2015! Great. Then I suppose this was a pre-existing stock image with that date, and someone found and re-used it later for this purpose preserving its older (unrelated) timestamp. Sounds like a plausible guess. > Please please please, less pointless bickering, more code auditing. I agree, but I think this is not bickering, but rather reflections on modern vulnerability handling processes. This is not about blame, at least not for me. Vulnerabilities with names and logos are a fairly recent trend, although use of vulnerabilities for PR isn't new (many if not most of us are doing it to a varying extent, often with the noble goal of being able to do more work like this; that's OK). We're trying to figure out whether this has drawbacks, which ones, how bad (or not) they are, and how we can do better (or motivate others to do better). By demonstrating that your company did not sit on this for too long you'd provide a good example to others. And by discussing these aspects we demonstrate that we care about disclosure timelines. And, one thing I regret I did not suggest to you to add to the advisory is a timeline. I have no idea what it looked like prior to the point when you contacted me earlier this month. Finally, let me state that I find the quality and extent of your analysis impressive, and that it really helps. Thank you! Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ