On Thu, Dec 14, 2006 at 06:39:55PM -0600, David_Coffey@xxxxxxxxxx wrote: > Gentoo Security Team, > > This statement seems to contrast greatly your practice of not following > a "professional" responsible disclosure process; particularly, posting a > security issue only 8.5 hours after your initial report was confirmed by > McAfee and a mere 9 hours after you sent in your initial report. > David, the issue had already been discussed in public as we informed you. There is no point trying to bury an issue once it has already been discussed in public, we issued an advisory to ensure that our users were aware that the issue existed. > This is not generally considered "responsible" practice. If you are not > already aware, there are many responsible disclosure guidelines and > practices which have been published, like those outlined at > http://www.oisafety.org/ (we are founding members and adhere to these > guidelines). Not everyone believes these guidelines are in everyones best interests. > In another matter, McAfee disagrees with your statement that this is > a "high" severity issue, as the privilege of the executed code is not > raised from the privileges of the executing user. In addition to this, > an attacker would have had to compromise the machine through another > mechanism in order to place the malicious library on the system. Well then you have a fundamental misunderstanding of the issue. Does an attacker have to compromise your machine to get you to use your virus scanner on an arbitrary file? No. Your DT_RPATH tag instructs the dynamic loader to search the working directory for shared libraries, if you scan an ELF DSO by invoking your scanner on the file then executing arbitrary code is trivial. I sent you a very clear example of this privately, including step-by-step instructions on how to reproduce it. if you did not understand my instructions, please contact me off-list and I will explain it in detail. Thanks, Tavis. -- ------------------------------------- taviso@xxxxxxxxxxxxxxxx | finger me for my pgp key. -------------------------------------------------------
Attachment:
pgp8B7sKIEMSG.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/