Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Nov 2017 07:32:28 -0500
From: Brad Spengler <spender@...ecurity.net>
To: oss-security@...ts.openwall.com
Cc: Vladis Dronov <vdronov@...hat.com>
Subject: Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due
 to a race condition in [legousbtower] driver

Hi Greg,

We're all aware of your objection, you bring it up every time 
anyone mentions Linux kernel security on this list.  However, 
please remember that all the people contributing on this list are 
taking on the responsiblity you and the majority of other upstream 
developers have abdicated.

We get it, every time there's some bug mentioned on here that 
you've already fixed, you want the entire world to know.  Only you 
apparently don't want the world to know about the bug at any time 
before then. Vladis' original mail made it clear the bug was 
already fixed with the included upstream fix link, so your 
follow-up was unnecessary.  As I've already demonstrated many 
times, there are plenty of vulnerabilities you haven't fixed.  The 
reason for that is largely due to the lack of coordinated 
recognition of security flaws which comes from the very top of 
leadership.  Another is probably that there are just so many flaws, 
and it's simply an accepted externality of the Linux development 
process.

If you truly believe there is no uniqueness to security bugs, I 
would advise you to shut down security@...nel.org.  I would also 
ask that you come up with a better solution to the problem than 
demanding people run the latest version of Linux. According to my 
current records someone taking that advice would be exposed to a 
bug that can brick systems that seems nowhere close to resolution, 
and one that makes it impossible to run KVM guests on AMD (which went
unfixed for 3 months, and the current fix isn't cc'd for stable --
makes me wonder how much testing -rc really gets).

You might want to focus your time on getting your own house in 
order instead of constantly pestering the people on this list -- we 
work in the trenches and aren't swayed by nonsense arguments that 
have no viable solution attached.

Thanks,
-Brad

On Tue, Nov 14, 2017 at 08:37:20AM +0100, Greg KH wrote:
> On Mon, Nov 13, 2017 at 07:42:27PM -0500, David A. Wheeler wrote:
> > On Mon, 13 Nov 2017 16:15:24 +0100, Greg KH <greg@...ah.com> wrote:
> > > It's the arbitrarily nature here that I am curious about, it feels like
> > > it should be "all or nothing", for CVEs to mean much here.  Right now it
> > > seems like it is just, "all that we care to track"?  :)
> > 
> > "All" would be awesome, though unlikely.  But even if that's the eventual goal,
> > "good starts" are still good starts.
> 
> But really, this isn't even a "good start", it's identifying a bug fixed
> over a year ago for a kernel that only one company seems to care about
> because they are _not_ following the recommended upstream stable kernel
> patches because they "know better" :)
> 
> That's my objection here.
> 
> thanks,
> 
> greg k-h

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.