Date: Tue, 14 Nov 2017 07:32:28 -0500 From: Brad Spengler <spender@...ecurity.net> To: oss-security@...ts.openwall.com Cc: Vladis Dronov <vdronov@...hat.com> Subject: Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Hi Greg, We're all aware of your objection, you bring it up every time anyone mentions Linux kernel security on this list. However, please remember that all the people contributing on this list are taking on the responsiblity you and the majority of other upstream developers have abdicated. We get it, every time there's some bug mentioned on here that you've already fixed, you want the entire world to know. Only you apparently don't want the world to know about the bug at any time before then. Vladis' original mail made it clear the bug was already fixed with the included upstream fix link, so your follow-up was unnecessary. As I've already demonstrated many times, there are plenty of vulnerabilities you haven't fixed. The reason for that is largely due to the lack of coordinated recognition of security flaws which comes from the very top of leadership. Another is probably that there are just so many flaws, and it's simply an accepted externality of the Linux development process. If you truly believe there is no uniqueness to security bugs, I would advise you to shut down security@...nel.org. I would also ask that you come up with a better solution to the problem than demanding people run the latest version of Linux. According to my current records someone taking that advice would be exposed to a bug that can brick systems that seems nowhere close to resolution, and one that makes it impossible to run KVM guests on AMD (which went unfixed for 3 months, and the current fix isn't cc'd for stable -- makes me wonder how much testing -rc really gets). You might want to focus your time on getting your own house in order instead of constantly pestering the people on this list -- we work in the trenches and aren't swayed by nonsense arguments that have no viable solution attached. Thanks, -Brad On Tue, Nov 14, 2017 at 08:37:20AM +0100, Greg KH wrote: > On Mon, Nov 13, 2017 at 07:42:27PM -0500, David A. Wheeler wrote: > > On Mon, 13 Nov 2017 16:15:24 +0100, Greg KH <greg@...ah.com> wrote: > > > It's the arbitrarily nature here that I am curious about, it feels like > > > it should be "all or nothing", for CVEs to mean much here. Right now it > > > seems like it is just, "all that we care to track"? :) > > > > "All" would be awesome, though unlikely. But even if that's the eventual goal, > > "good starts" are still good starts. > > But really, this isn't even a "good start", it's identifying a bug fixed > over a year ago for a kernel that only one company seems to care about > because they are _not_ following the recommended upstream stable kernel > patches because they "know better" :) > > That's my objection here. > > thanks, > > greg k-h Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ