On Wed, 16 Jul 2008 09:44:37 EDT, Brad Spengler said: > To illustrate the point, in the 2.6.25.10 kernel, the following fix was > included with the commit message of: > Roland McGrath (1): > x86_64 ptrace: fix sys32_ptrace task_struct leak > > The kernel was released with no mention of security vulnerabilities in > the announcement, only "assorted bugfixes". > > Put simply, it only took about an hour or so to develop a PoC for this > exploitable vulnerability which affects 64bit x86_64 kernels since > January. So tell me Brad - if Roland fixed a bug, *and didn't even realize it was a security-exploitable* issue, how do you propose we proceed? Do you suggest that we stop and look at *every single commit* that fixes a bug, and see if there's some corner case that makes it exploitable? (Hint - I suggest you go look at the number of git commits done during the average -rc1 kernel lately, and figure out where the manpower will come from). Or go trawling through the linux-kernel archives, and see how many times I've reported an Oops or panic or hang (the answer is "so many I've lost count"). Yes, I probably should have (in your world) gotten some big splashy "security advisory" out. But you know what? *IT* *DOESN'T* *ACTUALLY* *MATTER* *IN* *THE* *REAL* *WORLD*. Just yesterday, I was talking on IRC to a rather clued individual, who was still running 2.6.18 or so - because he had mission-critical custom patches that hadn't been migrated to 2.6.25 yet. And that's the *clued* user. The *average* user, even a non-Windows one, wouldn't know how to correctly deal with a security advisory unless it bit them on the ass. Literally. The vast majority of them simply install updates when they show up from their distro. They don't know how to build their own kernel, they can't analyze the threat model coherently, so it basically changes into "I'll install it when it shows up in the GUI window of my distro's patch manager". The percentage of users that a more detailed bug announcement would actually help is probably on the order of 0.05% or so. The *other* 99.95% of them, it's "A new update is available. Install? ( ) Yes ( ) No". OK, so we do Linux bugfix announcements the way *you* recommend. Now suggest something *workable* for the *other* 99.95% that will *still* be vulnerable.
Attachment:
pgpa4LWDlNpSY.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/