Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 27 Feb 2013 18:46:51 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Jason A. Donenfeld" <Jason@...c4.com>
Subject: Re: CVE request - Linux kernel: VFAT slab-based buffer
 overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/27/2013 04:24 PM, Jason A. Donenfeld wrote:
> On Thu, Feb 28, 2013 at 12:07 AM, Greg KH <greg@...ah.com> wrote:
>> Really?  Ok then, please go ahead and try doing this yourself if
>> you feel it is so "obvious" to do.
> 
> I did yesterday, actually. I saw some commit that said "use after 
> free!", saw that it was triggerable by an unpriv'd user, and sent
> it into the list. Kurt took a look at it, agreed with the
> assessment, and assigned a CVE. The commit itself said "use after
> free" -- I didn't even have to do any heavy lifting or
> hair-splitting investigation.

No I didn't. This is why I require good quality requests, anything
else is a waste of my time. If it doesn't meet an easy "definitely a
security bug" I push it back to people and keep poking them with
annoying questions, in some cases this takes weeks or months to be
resolved (some are quite subtle, like that IPv6 Kernel stuff).

I assigned 1600-2000 CVEs last year, it will be more this year. At one
hour per CVE that would be a full years work right there. Even at 1-5
minutes per CVE it's still a huge time sink. The Kernel people are
working with roughly an order or two magnitude more bug reports to
assess (because even trivial looking things can turn out to have nasty
consequences or even represent entirely new classes of flaws, just
look at the recent Ruby stuff or XML stuff).

>> Nope, we are dumb, we do uninteresting, boring work, dealing with
>> broken hardware and demanding users every day.  If we were
>> smarter, we wouldn't be doing this type of thing.
> 
> Come on...

This also goes for security people. If we had any sense we'd go live
in the woods in a cabin and drink moonshine and go hunting. I'm still
assigning CVE's for /tmp file vulns. That's just inexcusably stupid.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRLrcLAAoJEBYNRVNeJnmTzlwP/3RD6L9k60EmE43kt/NMQK8N
sbG3eKCuDug7Z81FS5qMsu6tNSFSvSPF1zkt1XtYFoaPPAiSCJ5iJWtsZHiBpMcQ
UG4fbtkZIwbmaijSB455hGRryKC8XhnTy9kjOj+VLiHenjOYYDLGEjJm+stsN6t9
K2uacEKWugzHVPXSoexjRyIS7lai8f04FifMHav/N9ZG8tlbsNA6zr2mx9QDgAfO
B+Hmy0mjFXcY9zzyUPlLUOfIQzAxv8DzYF7tUY1Nybttno+ul85OQNSsShJHH10E
M34/tLIaMorku/oB00H9hveEi1zgOcVotVIk6tJ/qCnBffOHZ0MWEFYte3ou98D2
yjjjd6nDcu2LAK7cTlbV306oA9F69cWQJ8wWd019Fvmln51z7OCX3fOmjKzz3F4z
BmVeBtd0XK65BpHXwU/EewWklTcoATzkr0dZdBupB50PEejF4cDOTgN+g/z4FWjj
GKeu06LwlSZcyeQ55S8DLwEK1K8ZvbZhRCwFHISjX7W7G1yWarUZ2jZV333Spv4O
81s3t5haDASbLmNNclZayxhs0wTqGEFRDrFCu4r/hKUvcdTuvFgcBDoMJP6jZC+A
8FnCbVnE4kt1buIhbXWj/YwhpbguhCKebwCtAT135jONn8gs085VhUaGaOoc0vnS
PN5pIr8yoEf2QuGt+3UI
=H3sd
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.