Date: Tue, 27 Jan 2015 23:49:48 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: Qualys Security Advisory <qsa@...lys.com> Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) On Tue, Jan 27, 2015 at 09:21:32AM -0800, Michal Zalewski wrote: > I find it... profoundly disappointing... that we get to learn about > 0-days via PR agency leaks (or that external PR agencies get to know > about 0-days before the rest of the world - hey, sounds like a juicy > target). > > That said, the advisory makes up for it... Michal has just made this blog post, which I guess he's too shy to advertise in here, but I will: http://lcamtuf.blogspot.com/2015/01/technical-analysis-of-qualys-ghost.html He found out that apparently the ghost image appeared on the Qualys website on October 2. I've just downloaded the image as well, and I confirm that this is what the server reports as the file's timestamp. While it's not surprising that thorough vulnerability analysis, with a lot of other pieces of software considered, could be taking a long time (and a lot of effort), the 3+ month delay (is it for real?) is worrying. Maybe many of us would have preferred the balance between pre-publication analysis vs. delay adjusted differently. Maybe we would have preferred the company handling this sort of discovery not spend time thinking of a fancy name and logo, focusing on speedier vulnerability handling instead. On the bright side, I guess this name/logo thing did not take up the technical folks' time, so was unlikely a cause of the delay (but the thorough analysis most certainly was, which has pros and cons to us). Another aspect is that compared to the delay since the issue was silently fixed in upstream glibc, the extra 3+ months are not that bad (as weird as it sounds). A related concern is that if the timestamp on the image file reflects when work on preparing the web page right on the public-facing web server started, then some info on the vulnerability (whatever info that web page has, or had at the time) may have been subject to extra risk (via a possible web server compromise, or a compromise of related systems - such as those holding web server backups, and those used to edit web content). This is not certain, though (the file may have been copied from another machine along with its timestamp at a later time, much closer to the public disclosure date). The GHOST name was not yet in the (almost final) advisory draft sent to the linux-distros list on January 18, nor was there any other name for this vulnerability in there. So it appeared to be an afterthought to me when I learned of this name earlier today. But perhaps it was not. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.