Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 30 Oct 2016 06:35:57 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2016-5195 test case

Hi Andy,

On Thu, Oct 27, 2016 at 08:35:01AM -0700, Andy Lutomirski wrote:
> I sat on this longer than makes any sense given how easy to reproduce
> CVE-2016-5195 is, but here's a reasonably portable reproducer.  It's
> intended to have no side effects, but your mileage may vary.
> 
> https://github.com/amluto/vulnerabilities/blob/master/others/CVE-2016-5195/test_CVE-2016-5195.c
> 
> This will use /proc/self/mem or ptrace automatically, and it's
> intended to be portable to a wide range of kernels.

Unfortunately, it still didn't work on systems without O_TMPFILE or/and
without a defined PR_SET_PTRACER_ANY.

Attached is a slightly more portable version.

> It's an improved
> version of the test case I originally sent out to distros (oops!).

Why "oops"?  Do you mean just the distros vs. linux-distros issue?

It's OK to send reproducers to the [linux-]distros list (the appropriate
one) as long as you intend to make them public shortly after public
disclosure of the issue itself (the earliest of: a few days or when
other public exploits/reproducers show up).  I think for most issues,
which are not high impact or/and where non-trivial pre-conditions need
to be met, it makes sense to make the (non-weaponized) reproducers
public right away (on the initial public disclosure date, along with
full vulnerability detail), but occasionally there will be issues like
this where delaying posting the reproducer a little bit makes sense.
It's just that I think you shouldn't have delayed as much.  Ideally, you
should have made a posting in here without the reproducer on the initial
public disclosure date (in fact, that's your responsibility per the
[linux-]distros list policy), and as others made reproducers available
within a day, you should have also posted yours the next day.

Just my opinion.

Thank you for your help in handling of this issue!

Alexander

View attachment "test_CVE-2016-5195.c" of type "text/x-c" (5069 bytes)

View attachment "test_CVE-2016-5195.c.diff" of type "text/plain" (740 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ