Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 17 Nov 2016 17:50:17 +0000
From: Jason Cooper <osssecurity@...edaemon.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2016-4484: - Cryptsetup Initrd root Shell

Hi John,

On Thu, Nov 17, 2016 at 04:56:06PM +0000, John Haxby wrote:
> On 17/11/16 16:39, Jason Cooper wrote:
> > However, the golden rule still applies.  Physical access trumps all
> > defensive measures.  The absolute best you can do is detect that
> > physical access occurred.  From there, you're hoping there are no
> > hardware implants or other devices outside the scope of software
> > security.
> 
> I agree.  However, it ought be to be harder than leaning on the enter
> key to break into a system.  You lock your doors even though it doesn't
> stop a determined burglar?

Yes, as I said before, non-deterministic failure modes are bad.  This
CVE is a bug in the initrd script and needs to be fixed.  What I
disagree with, and still do, is the "sky is falling!" nature of the
alert.

thx,

Jason.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ