Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 23 Jun 2017 08:02:36 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - The Stack Clash

On 2017-06-23 7:56 AM, Jeff Law wrote:
> On 06/21/2017 03:27 PM, Brad Spengler wrote:
>>> OpenBSD isn't a member of the distros list - they were notified by
>>> Qualys separately.  This matter was discussed, and some folks were
>>> unhappy about OpenBSD's action, but in the end it was decided that
>>> since, as you correctly say, the underlying issue was already publicly
>>> known, OpenBSD's commits don't change things much.  Sure this draws
>>> renewed attention to the problem, but probably not to the extent and in
>>> the many specific ways the Qualys findings cover.  So it was decided to
>>> keep the embargo on the detail.
>> Thank you for clarifying that, my assumption was indeed wrong then.
>>
>> Still, if OpenBSD was able to resolve the issues necessary after 
>> notification without leaking full details to the public, shouldn't 
>> this have been possible for the other projects without an embargo, 
>> let alone an extended one?  
> I  really doubt it for GCC for a variety of reasons.  Hell, I doubt I
> could have gotten even a good discussion going about the problems with
> -fstack-check without the details of the embargo'd CVE.
>
> Even if I was able to get interest from other key GCC contributors, the
> level of detail I'd have to disclose to those key contributors to make
> progress would likely have violated the embargo.
>
> Perhaps part of the difference is OpenBSD can move fairly independently
> while something like GCC requires larger scale coordination and public
> discussion.
>
> Jeff
>
OpenBSD made changes to the then known qsort() issue, and implemented
what was then thought to be the solution to the stack guard issue, the 1
megabyte guard pages. Subsequent discussion (without OpenBSD present,
due to them breaking the embargo) took place and as you know we ended up
with some pretty significant changes to glibc (I don't know if OpenBSD
has picked this group of fixes up or not).

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.