Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 28 Jan 2015 05:18:42 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

On Tue, Jan 27, 2015 at 05:45:17PM -0800, Qualys Security Advisory wrote:
> On Tue, Jan 27, 2015 at 08:45:12PM +0300, Solar Designer wrote:
> > He found out that apparently the ghost image appeared on the Qualys
> > website on October 2.
> 
> What?!  No idea where this image came from, who created it, or why, or
> when.  What is absolutely certain is that October 2 has nothing to do
> with this bug, simply because the first time someone here had the idea
> of calling it "GHOST" was on Friday evening!  Yes, Friday, January 23,
> 2015!

Great.

Then I suppose this was a pre-existing stock image with that date, and
someone found and re-used it later for this purpose preserving its older
(unrelated) timestamp.  Sounds like a plausible guess.

> Please please please, less pointless bickering, more code auditing.

I agree, but I think this is not bickering, but rather reflections on
modern vulnerability handling processes.  This is not about blame, at
least not for me.  Vulnerabilities with names and logos are a fairly
recent trend, although use of vulnerabilities for PR isn't new (many if
not most of us are doing it to a varying extent, often with the noble
goal of being able to do more work like this; that's OK).  We're trying
to figure out whether this has drawbacks, which ones, how bad (or not)
they are, and how we can do better (or motivate others to do better).
By demonstrating that your company did not sit on this for too long
you'd provide a good example to others.  And by discussing these aspects
we demonstrate that we care about disclosure timelines.

And, one thing I regret I did not suggest to you to add to the advisory
is a timeline.  I have no idea what it looked like prior to the point
when you contacted me earlier this month.

Finally, let me state that I find the quality and extent of your
analysis impressive, and that it really helps.  Thank you!

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.