[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Linux's unofficial security-through-coverup policy

To: <dailydave@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Linux's unofficial security-through-coverup policy
From: "M. Shirk" <shirkdog_list@xxxxxxxxxxx>
Date: Wed, 16 Jul 2008 15:22:29 -0400

In reference to this:
http://article.gmane.org/gmane.linux.kernel/706950

There is this:
http://img136.imageshack.us/img136/7451/poster68251050mx9.jpg

Shirkdog
' or 1=1-- 

http://www.shirkdog.us

> Date: Wed, 16 Jul 2008 09:44:37 -0400
> To: dailydave@xxxxxxxxxxxxxxxxxxxxx
> From: spender@xxxxxxxxxxxxxx
> CC: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] Linux's unofficial security-through-coverup policy
> 
> Hi all,
> 
> I doubt many of you are following the "discussions" (if they can be 
> called that) that have been going on on LWN for the past couple weeks 
> regarding security fixes being intentionally covered up by the Linux 
> kernel developers and -stable maintainers.  Here are some references:
> 
> http://lwn.net/Articles/285438/
> http://lwn.net/Articles/286263/
> http://lwn.net/Articles/287339/
> http://lwn.net/Articles/288473/
> http://lwn.net/Articles/289805/
> 
> The Linux kernel has a formal policy in Documentation/SecurityBugs which 
> states under Section 2 Disclosure:
> "We prefer to fully disclose the bug as soon as possible."
> 
> However, their policy in reality is quite different, as you can see for 
> yourself in the "discussion" going on now on LKML:
> 
> http://marc.info/?t=121507404600023&r=1&w=2
> 
> Some choice quotes from Linus that reflect how sad the current state is:
> http://marc.info/?l=linux-kernel&m=121617056910384&w=2
> (on commenting about what he would allow to be included in a commit 
> message)
> "I literally draw the line at anything that is simply greppable for. If 
> it's not a very public security issue already, I don't want a simple 
> "git log + grep" to help find it."
> 
> http://marc.info/?l=linux-kernel&m=121613851521898&w=2
> (when talking about the security backports Linux vendors provide for 
> customers)
> "And they mostly do a crap job at it, only focusing on a small 
> percentage (the ones that were considered to be "big issues")"
> 
> They seem to have the impression that people who find an exploit kernel 
> vulnerabilities rely on the commit messages fixing the vulnerability 
> including some mention of security.  As it should be clear to anyone 
> actually involved in the security community, or anyone who has ever 
> written an exploit (particularly for the myriad silently fixed 
> vulnerabilities in Linux), this is far from reality.  The people who 
> *do* rely on these messages and announcements however are the smaller 
> distributions and individual users.  Yet Linus et al believe they're 
> helping you by pulling the wool over your eyes regarding the exploitable 
> vulnerabilities in their OS.
> 
> To illustrate the point, in the 2.6.25.10 kernel, the following fix was 
> included with the commit message of:
> Roland McGrath (1):
>       x86_64 ptrace: fix sys32_ptrace task_struct leak
> 
> The kernel was released with no mention of security vulnerabilities in 
> the announcement, only "assorted bugfixes".
> 
> Put simply, it only took about an hour or so to develop a PoC for this 
> exploitable vulnerability which affects 64bit x86_64 kernels since 
> January.  So since the time of the fix itself (or even before that if 
> someone spotted it before the kernel developers did themselves) users 
> have been at risk.  Yet in the imaginary world they live in, these 
> kernel developers think they're protecting you from that risk by not 
> telling you what you're vulnerable to.
> 
> Please let them know what you think of their policy of non-disclosure 
> and coverups.  I hope someone also educates them on their ridiculous 
> notion of "untrusted local users" like Greg uses in his announcement of 
> the 2.6.25.11 kernel:
> http://lwn.net/Articles/289804/
> 
> If you remain complacent about the state of affairs, you're only 
> enabling them to continue their current misguided foolishness.
> 
> -Brad

_________________________________________________________________
Stay in touch when you're away with Windows Live Messenger.
http://www.windowslive.com/messenger/overview.html?ocid=TXT_TAGLM_WL_messenger2_072008

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Linux's unofficial security-through-coverup policy
  - From: Brad Spengler

Prev by Date: [Full-disclosure] [SECURITY] [DSA 1544-2] New pdns-recursor packages fix predictable randomness
Next by Date: Re: [Full-disclosure] Linux's unofficial security-through-coverup policy
Previous by thread: [Full-disclosure] Linux's unofficial security-through-coverup policy
Next by thread: Re: [Full-disclosure] Linux's unofficial security-through-coverup policy
Index(es):
- Date
- Thread