Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 21 Jun 2017 14:40:06 -0700
From: Qualys Security Advisory <qsa@...lys.com>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - The Stack Clash

Hi Solar, all,

Thank you very much for this constructive feedback.  For the sake of
transparency and an improved disclosure process in the future, we will
do the same now, and also address some of the concerns that have been
expressed since Monday.

But first, we would like to thank everyone who was involved in this
disclosure, for their hard work and patience, and especially Solar for
creating and administering the mailing-lists that made it possible (and
for accepting, although reluctantly, the embargo extension).

On Mon, Jun 19, 2017 at 10:39:33PM +0200, Solar Designer wrote:
> The stated argument for extending the embargo duration beyond list
> policy's maximum was that fixes presumably wouldn't be ready.

This was not the only reason why we eventually decided to extend the
embargo;  here is what we wrote in an e-mail to distros@, on May 28:

"""
The discussions that
took place here on distros eventually forced us to extend the embargo
from the original CRD (May 30) to June 19:

- there are serious problems with the two solutions that we proposed
  ("Increase the size of the stack guard-page" and "Recompile all
  userland code with GCC's -fstack-check option");

- please see Red Hat's analysis, attached;

- when we asked here if distros would be ready by May 30, only three
  answered (two "yes", one "no"), and hoping for the best ("the ones who
  did not answer will surely be ready") was not an option, and "let's
  publish anyway on May 30, distros should have been ready" was not an
  option either (the end users would be the ones suffering from such a
  debacle).
"""

The first problem was that 1MB is not enough on all architectures;  the
second problem was that -fstack-check does not always "touch" all pages;
and Red Hat's analysis was an extensive report about the fixes needed in
the kernel, the glibc, and gcc.

All of this, plus the third reason mentioned above, and our own
assessment of the situation, helped us make our decision to extend the
embargo.

> I understand
> it's rare for companies to do quality security research, and I didn't
> want my action to have hampered the stream of quality security research
> we're seeing from Qualys lately.

Thank you very much.  However, we must admit that this coordinated
release has been one of the most stressful and painful experiences we
ever had:  we were torn between those who wanted to publish early and
those who wanted to publish later, and in the middle of all this
coordination we were trying to complete our research (we had not
successfully exploited 64-bit Linux yet when we first contacted
distros@).

Such a responsible disclosure could have been, and should have been,
easier and simpler, even with so many vendors involved.  How could such
a situation be handled better next time?  We are open to suggestions.

Finally, we would like to address a concern that has been voiced by
Chris Evans (who has also quoted Solar's mail, thus answering here):

"""
There's also the question of whether "customers" get access to details
before patches are available
"""

Absolutely not:  we have not shared a single detail of these
vulnerabilities with anyone outside of Qualys before the Coordinated
Release Date;  and even within Qualys, we have kept this
compartmentalized until the very end.

Thank you very much!

With best regards,

-- 
the Qualys Security Advisory team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.