Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 27 Feb 2013 20:26:47 +0100
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request - Linux kernel: VFAT slab-based buffer overflow

On Wed, Feb 27, 2013 at 6:03 AM, Greg KH <greg@...ah.com> wrote:
> I will say flat out that this is an impossible task to accomplish.

Maybe so, and the theory of the whole situation may lead to some
interesting debates.

But let's step back from the lofty arguments and look at a very simple
and practical situation:

Facts:

1. Nefarious folks notice security bugs, upon introduction commit,
upon fix commit, and in between the two.
2. Security bugs are often fixed in the upstream kernel.
3. Various organizations and individuals like to maintain stable
branches of a particular kernel version.
4. They like these branches to be as secure as possible.
5. They thus benefit from knowing which upstream changes affect
security bugs that are present in their branch.

This should be pretty plain and obvious.

The solution involves informing such stable maintainers of the issue
and of the fix. CVEs and oss-sec are supposed to help fulfill this
purpose.

Greg -- you then raise the issue, "Well who shall be responsible for
such reporting? It's an awful lot of pressure to figure out what's a
security fix and what isn't. I don't want to do that! Who wants to do
that?"

Plenty of people would gladly do that, but maybe that's besides the
point, as is this objection.

The solution to oss-sec being informed isn't for one person to be
responsible for mailing oss-sec, but for there to be a general climate
of, "oh, hey, I noticed this is security related. I've got a duty to
email oss-sec about it, because people's kernels getting owned is not
a good thing, and I like good things."

Folks on security@ are likely in a position to make such observations.
Other people on the various subsystem mailing lists are also in that
position. Occasionally I myself will peruse Linus' tree and notice
some silent fixes here or there (such as the tmpfs use-after-free
yesterday). Lots of people are in a position to notice.

How many of those people actually feel like it's a good and
quasi-necessary thing to email oss-sec about it? Nefarious folks,
obviously not. But it also seems like many of the individuals on
security@ don't feel that way either. Nor do many core kernel
developers (it would seem).

If people in a position to notice security related fixes don't feel
it's a good thing to pipe up to oss-sec, the practicality of the
matter is that we'll be worse off security-wise. As Kurt said, we
can't do it 100%, but I think if the general attitude would shift
amongst many of those who are in a position to notice security fixes,
we'd be a lot better off.

The solution is really a practical one. Go to NYC for a day, ride
around on MTA, and observe their flyers:

"If you see something, say something."

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.