Date: Fri, 31 Jul 2015 01:51:01 -0700 From: Qualys Security Advisory <qsa@...lys.com> To: oss-security@...ts.openwall.com Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Hello, this is one last post to an otherwise-closed sub-thread (with the list moderators' approval): our intention is not to re-open this thread, but to address some of the questions that were raised, and to emphasize a few important facts. On Thu, Jul 23, 2015, Leif Nixon wrote: > *Why* are you releasing a full exploit just minutes after the patch is > released? First, this was just another local userland exploit, and local userland exploits are usually published at the same time as their corresponding patches and advisories: http://www.openwall.com/lists/oss-security/2015/03/26/1 http://www.openwall.com/lists/oss-security/2015/04/14/4 http://www.openwall.com/lists/oss-security/2015/04/22/12 http://www.openwall.com/lists/oss-security/2015/05/21/9 http://www.openwall.com/lists/oss-security/2015/05/21/10 http://www.openwall.com/lists/oss-security/2015/06/16/2 Second, the libuser bugs are no complicated memory-corruption bugs (no ROP-chain or ASLR-bypass is needed): an exploit for the common case can be written in well under an hour (roothelper.c is complicated only because it handles all corner cases). Third, the userhelper binary is NOT default on all Red-Hat-based distros, but the chfn binary IS, which is why we purposely chose to release our userhelper exploit, but NOT our chfn exploit. On Fri, Jul 24, 2015, Stephan Wiesand wrote: > Wild guess: Their customers had plenty of time to understand the issue > and its impact, and to roll out either a fix or some mitigation. And > thus an edge. Looks like "just business...". We are not into that kind of business: the reason we internally audit open-source code at Qualys is that it allows us to make our products and infrastructure more secure, and it is a great way to contribute to the open-source community. When we contacted Red Hat about the libuser vulnerabilities, we sent them both our advisory and our exploit, and they promptly replied with two CVEs and patches for us to review. We would like to thank Red Hat's Security Response Team and developers for giving us the opportunity to review the patches while they were being written, because the end-result greatly benefited from this cooperation. As for why Red Hat published their updates and patches one hour after the Coordinated Release Date (and we published our advisory even later than that), Kurt Seifried already answered this here: http://www.openwall.com/lists/oss-security/2015/07/24/3 With best regards, -- the Qualys Security Advisory team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ