Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 21 Jun 2017 15:57:27 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - The Stack Clash

On Wed, Jun 21, 2017 at 08:25:26AM -0400, Brad Spengler wrote:
> Finally, one thing I noted was missing from Solar's timeline is that
> on May 18th, the day after the private distros list was notified with
> details, this commit appeared in public:
> https://github.com/openbsd/src/commit/4ed6bfeac112229466414b94cdbd983fb8017796

IIRC, they also committed a relevant fix to their qsort().

> OpenBSD publishing this commit, in combination with Solar making repeated
> mentions here on oss-sec about a cross-OS issue being worked on was enough
> for me to know that the underlying issue being discussed was what we had
> widely discussed publicly in 2010 on LWN and elsewhere.  What's the official
> explanation for this, and is any action being taken for what I assume is a
> member of the private list breaking the embargo?

OpenBSD isn't a member of the distros list - they were notified by
Qualys separately.  This matter was discussed, and some folks were
unhappy about OpenBSD's action, but in the end it was decided that
since, as you correctly say, the underlying issue was already publicly
known, OpenBSD's commits don't change things much.  Sure this draws
renewed attention to the problem, but probably not to the extent and in
the many specific ways the Qualys findings cover.  So it was decided to
keep the embargo on the detail.

Ditto for the "move mmap_area and PIE binaries away from the stack"
patch series posted to LKML and CC'ed to kernel-hardening on June 2:

http://www.openwall.com/lists/kernel-hardening/2017/06/02/

which might have been inspired by Qualys work known to Red Hat engineers
internally.  A difference is that Red Hat is a member of the distros
list.  I brought this up on the distros list, and another Red Hat person
said "We'll deal with this internally."  Given the circumstances, I find
this response satisfactory.

I am far more concerned about the total embargo duration here than about
these two semi-leaks.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.