Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 28 Jun 2017 08:58:26 +0200
From: Dominique Martinet <asmadeus@...ewreck.org>
To: oss-security@...ts.openwall.com
Subject: Re: CoreOS membership to linux-distros

Sven Dowideit wrote on Wed, Jun 28, 2017:
> I'm responsible for RancherOS, and think that both I, and my users
> would prefer that I had access to the embargoed information earlier,
> so preparing a response would have been less of a rush.

I can relate to the rush feeling, even with few users/"private" distro
here, having a custom kernel makes this kind of fixes annoying...
But given the delayed exploit release I'd say it does not really matter
if you take a few days for this, especially in this case with the low
success rate on 64bit linux. As soon as reasonably possible does not
necessarily mean rush.

As a rhel/centos spin-off though we would have liked the bug brought up
here ( https://bugzilla.redhat.com/show_bug.cgi?id=1463241 ) to have its
fix published faster though, it's apparently been ready for a week but
not been published... I don't mind bugs, but if it's fixed it's annoying
to keep it behind closed doors.


> One of the things that would have made my last week less worrying, is
> to have some access to exploit code - so as to verify the changes
> actually had a useful effect.

You don't need an actual exploit to test this. You're not the first
person who have told me this so I actually took some time this morning
to whip up a "tester" -- it's probably far from perfect but will run
successfully on older debian/rhel and crash with a patched kernel as
expected, and is as inoffensive as it can get.

I'm sure there are other better testers online, I didn't try looking as
I don't get much chance to play with this kind of stuff :)


Qualys gave a lot of details in their report (kudos to well written
advisories like that!), I agree having everything on a golden plate is
better but it really isn't much work left for smaller distros if you
trust the big ones or even just upstream, once bugs got steamed out.

-- 
Asmadeus | Dominique Martinet

View attachment "teststackclash.c" of type "text/x-csrc" (1551 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.