Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 31 Jul 2015 01:51:01 -0700
From: Qualys Security Advisory <qsa@...lys.com>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper -
 CVE-2015-3246 libuser

Hello, this is one last post to an otherwise-closed sub-thread (with the
list moderators' approval): our intention is not to re-open this thread,
but to address some of the questions that were raised, and to emphasize
a few important facts.

On Thu, Jul 23, 2015, Leif Nixon wrote:
> *Why* are you releasing a full exploit just minutes after the patch is
> released?

First, this was just another local userland exploit, and local userland
exploits are usually published at the same time as their corresponding
patches and advisories:

http://www.openwall.com/lists/oss-security/2015/03/26/1
http://www.openwall.com/lists/oss-security/2015/04/14/4
http://www.openwall.com/lists/oss-security/2015/04/22/12
http://www.openwall.com/lists/oss-security/2015/05/21/9
http://www.openwall.com/lists/oss-security/2015/05/21/10
http://www.openwall.com/lists/oss-security/2015/06/16/2

Second, the libuser bugs are no complicated memory-corruption bugs (no
ROP-chain or ASLR-bypass is needed): an exploit for the common case can
be written in well under an hour (roothelper.c is complicated only
because it handles all corner cases).

Third, the userhelper binary is NOT default on all Red-Hat-based
distros, but the chfn binary IS, which is why we purposely chose to
release our userhelper exploit, but NOT our chfn exploit.

On Fri, Jul 24, 2015, Stephan Wiesand wrote:
> Wild guess: Their customers had plenty of time to understand the issue
> and its impact, and to roll out either a fix or some mitigation. And
> thus an edge. Looks like "just business...".

We are not into that kind of business: the reason we internally audit
open-source code at Qualys is that it allows us to make our products and
infrastructure more secure, and it is a great way to contribute to the
open-source community.

When we contacted Red Hat about the libuser vulnerabilities, we sent
them both our advisory and our exploit, and they promptly replied with
two CVEs and patches for us to review.  We would like to thank Red Hat's
Security Response Team and developers for giving us the opportunity to
review the patches while they were being written, because the end-result
greatly benefited from this cooperation.

As for why Red Hat published their updates and patches one hour after
the Coordinated Release Date (and we published our advisory even later
than that), Kurt Seifried already answered this here:

http://www.openwall.com/lists/oss-security/2015/07/24/3

With best regards,

-- 
the Qualys Security Advisory team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ