Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Linux's unofficial security-through-coverup policy
From: "Robert Peaslee" <peasleer () gmail com>
Date: Wed, 16 Jul 2008 15:26:09 -0400

Hi Brad,

Your comments are kind of misguided. Linus can be quoted as saying: "my
responsibility is to do a good job. And not pander to the people who want to
turn security into a media circus." He was referring to individuals such as
yourself when making the circus comment, as your message was slightly
alarmist and dramatized.

Security is important, of course - but Linus'
opinions<http://kerneltrap.org/mailarchive/linux-kernel/2008/7/15/2497674>are
completely correct in terms of development of the Linux kernel. I
would
agree with you if security bugs were actually being hidden, but they aren't.
They just aren't given special treatment.

--Robert Peaslee
www.robertpeaslee.com

On Wed, Jul 16, 2008 at 9:44 AM, Brad Spengler <spender () grsecurity net>
wrote:

Hi all,

I doubt many of you are following the "discussions" (if they can be
called that) that have been going on on LWN for the past couple weeks
regarding security fixes being intentionally covered up by the Linux
kernel developers and -stable maintainers.  Here are some references:

http://lwn.net/Articles/285438/
http://lwn.net/Articles/286263/
http://lwn.net/Articles/287339/
http://lwn.net/Articles/288473/
http://lwn.net/Articles/289805/

The Linux kernel has a formal policy in Documentation/SecurityBugs which
states under Section 2 Disclosure:
"We prefer to fully disclose the bug as soon as possible."

However, their policy in reality is quite different, as you can see for
yourself in the "discussion" going on now on LKML:

http://marc.info/?t=121507404600023&r=1&w=2

Some choice quotes from Linus that reflect how sad the current state is:
http://marc.info/?l=linux-kernel&m=121617056910384&w=2
(on commenting about what he would allow to be included in a commit
message)
"I literally draw the line at anything that is simply greppable for. If
it's not a very public security issue already, I don't want a simple
"git log + grep" to help find it."

http://marc.info/?l=linux-kernel&m=121613851521898&w=2
(when talking about the security backports Linux vendors provide for
customers)
"And they mostly do a crap job at it, only focusing on a small
percentage (the ones that were considered to be "big issues")"

They seem to have the impression that people who find an exploit kernel
vulnerabilities rely on the commit messages fixing the vulnerability
including some mention of security.  As it should be clear to anyone
actually involved in the security community, or anyone who has ever
written an exploit (particularly for the myriad silently fixed
vulnerabilities in Linux), this is far from reality.  The people who
*do* rely on these messages and announcements however are the smaller
distributions and individual users.  Yet Linus et al believe they're
helping you by pulling the wool over your eyes regarding the exploitable
vulnerabilities in their OS.

To illustrate the point, in the 2.6.25.10 kernel, the following fix was
included with the commit message of:
Roland McGrath (1):
     x86_64 ptrace: fix sys32_ptrace task_struct leak

The kernel was released with no mention of security vulnerabilities in
the announcement, only "assorted bugfixes".

Put simply, it only took about an hour or so to develop a PoC for this
exploitable vulnerability which affects 64bit x86_64 kernels since
January.  So since the time of the fix itself (or even before that if
someone spotted it before the kernel developers did themselves) users
have been at risk.  Yet in the imaginary world they live in, these
kernel developers think they're protecting you from that risk by not
telling you what you're vulnerable to.

Please let them know what you think of their policy of non-disclosure
and coverups.  I hope someone also educates them on their ridiculous
notion of "untrusted local users" like Greg uses in his announcement of
the 2.6.25.11 kernel:
http://lwn.net/Articles/289804/

If you remain complacent about the state of affairs, you're only
enabling them to continue their current misguided foolishness.

-Brad

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIfftEmHm2SUJF1GoRAktWAJ9DAPKD+xOzxwhgG+3jaIEQhZaGLwCfWB1z
JcW3+i5FirNKEz0JcAEu84o=
=FE0K
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]