Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Jun 2017 14:40:06 -0700
From: Qualys Security Advisory <>
Subject: Re: Qualys Security Advisory - The Stack Clash

Hi Solar, all,

Thank you very much for this constructive feedback.  For the sake of
transparency and an improved disclosure process in the future, we will
do the same now, and also address some of the concerns that have been
expressed since Monday.

But first, we would like to thank everyone who was involved in this
disclosure, for their hard work and patience, and especially Solar for
creating and administering the mailing-lists that made it possible (and
for accepting, although reluctantly, the embargo extension).

On Mon, Jun 19, 2017 at 10:39:33PM +0200, Solar Designer wrote:
> The stated argument for extending the embargo duration beyond list
> policy's maximum was that fixes presumably wouldn't be ready.

This was not the only reason why we eventually decided to extend the
embargo;  here is what we wrote in an e-mail to distros@, on May 28:

The discussions that
took place here on distros eventually forced us to extend the embargo
from the original CRD (May 30) to June 19:

- there are serious problems with the two solutions that we proposed
  ("Increase the size of the stack guard-page" and "Recompile all
  userland code with GCC's -fstack-check option");

- please see Red Hat's analysis, attached;

- when we asked here if distros would be ready by May 30, only three
  answered (two "yes", one "no"), and hoping for the best ("the ones who
  did not answer will surely be ready") was not an option, and "let's
  publish anyway on May 30, distros should have been ready" was not an
  option either (the end users would be the ones suffering from such a

The first problem was that 1MB is not enough on all architectures;  the
second problem was that -fstack-check does not always "touch" all pages;
and Red Hat's analysis was an extensive report about the fixes needed in
the kernel, the glibc, and gcc.

All of this, plus the third reason mentioned above, and our own
assessment of the situation, helped us make our decision to extend the

> I understand
> it's rare for companies to do quality security research, and I didn't
> want my action to have hampered the stream of quality security research
> we're seeing from Qualys lately.

Thank you very much.  However, we must admit that this coordinated
release has been one of the most stressful and painful experiences we
ever had:  we were torn between those who wanted to publish early and
those who wanted to publish later, and in the middle of all this
coordination we were trying to complete our research (we had not
successfully exploited 64-bit Linux yet when we first contacted

Such a responsible disclosure could have been, and should have been,
easier and simpler, even with so many vendors involved.  How could such
a situation be handled better next time?  We are open to suggestions.

Finally, we would like to address a concern that has been voiced by
Chris Evans (who has also quoted Solar's mail, thus answering here):

There's also the question of whether "customers" get access to details
before patches are available

Absolutely not:  we have not shared a single detail of these
vulnerabilities with anyone outside of Qualys before the Coordinated
Release Date;  and even within Qualys, we have kept this
compartmentalized until the very end.

Thank you very much!

With best regards,

the Qualys Security Advisory team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.