Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140626202820.GA24972@openwall.com>
Date: Fri, 27 Jun 2014 00:28:20 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: LMS-2014-06-16-1: Oberhumer LZO

On Thu, Jun 26, 2014 at 12:51:32PM -0600, Don A. Bailey wrote:
> This is to inform you of a security flaw in the Oberhumer LZO algorithm,
> typically packaged as liblzo2 or lzo-2. Please read the bug report inline.

Thank you for posting this and the other 5 bug reports.  I think it's
also helpful to link to your blog post:

"Raising Lazarus - The 20 Year Old Bug that Went to Mars"
http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html

Don brought these issues to the distros list at "Mon Jun 23 16:57 UTC",
and they were already being patched by some of the affected projects at
the time - thus, (semi?)-public.  We argued for a while whether it's
appropriate to wait for more of the projects to have patches ready, or
to post to oss-security and other high-visibility places right away.
Initially, I asked that the issues be posted at least to oss-security,
as per distros list policy for public disclosure, within 24 hours.
However, as we know there ended up being a 4 day delay.  While this time
wasn't "wasted" - more patches were being produced, and Yves-Alexis
Perez of Debian came up with a lengthy list of projects that have the
affected code embedded - I do acknowledge that it's a violation of the
distros list policy, and I apologize for it.

I'd appreciate guidance from the oss-security community on how to deal
with such cases going forward: the person reporting a vulnerability
willing to wait for more projects to have it patched vs. the already
(semi?)-public nature of the vulnerability via commits, etc. by some of
the projects.  Is letting the vulnerability stay in the limbo for 4 days
acceptable, or is it too much?  My initial gut feeling was "24 hours
max", which I communicated to Don and to distros list, but as we can see
actual disclosure occurred 4 days later.  (I did send a ping earlier
today, but I think the disclosure would have been today anyway.)  Should
I have pushed harder?  Should I have posted to oss-security myself (as a
BOFH list admin enforcing a policy), overriding others' preferences and
reasoning?

Yves-Alexis, can you please post that lengthy list in here?  Having it
available right away would be partial justification/excuse for the
delay in disclosing these issues appropriately. ;-)

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.