Date: Fri, 27 May 2022 07:26:50 -0400 From: "Mike O'Connor" <mjo@...o.mi.org> To: oss-security@...ts.openwall.com Cc: Solar Designer <solar@...nwall.com>, peterz@...radead.org, nslusarek@....net Subject: Re: CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation :I think it's important to remember that closed mailing lists filled :with private/embargoed exploits become valuable targets. They have :been compromised ever since Zardoz in the 1980s, vendor-sec was :discontinued for the same reason. By keeping zerodays in linux-distros :you paint a target on every recipient of the list. You should assume Every recipient and their upstream providers. :that any working exploit code you share to a mailing list will :eventually fall into the hands of bad actors. Therefore, I don't think :selective full-disclosure works. Long ago, I suggested that such mailing lists should PLAN to be public eventually, and disclose the info themselves before someone beats them to it. For example, when June comes up, April linux-distros archives are made public, and that's advertised and known. Given its two week max embargo period, this shouldn't pose an issue for anyone. There is value in (eventually) seeing the sausage being made. I know Solar has made old linux-distros mailing list metadata public, has advised folks that "any/all list postings may be made public once the corresponding security issue is publicly disclosed". I suggest "may" become "will eventually". Take FWIW... -Mike -- Michael J. O'Connor mjo@...o.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "Passion is the enemy of precision." -Daryl Zero
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.