Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Linux's unofficial security-through-coverup policy
From: Valdis.Kletnieks () vt edu
Date: Wed, 16 Jul 2008 16:06:57 -0400

On Wed, 16 Jul 2008 09:44:37 EDT, Brad Spengler said:

To illustrate the point, in the 2.6.25.10 kernel, the following fix was
included with the commit message of:
Roland McGrath (1):
      x86_64 ptrace: fix sys32_ptrace task_struct leak

The kernel was released with no mention of security vulnerabilities in
the announcement, only "assorted bugfixes".

Put simply, it only took about an hour or so to develop a PoC for this
exploitable vulnerability which affects 64bit x86_64 kernels since
January. 

So tell me Brad - if Roland fixed a bug, *and didn't even realize it was
a security-exploitable* issue, how do you propose we proceed?  Do you suggest
that we stop and look at *every single commit* that fixes a bug, and see if
there's some corner case that makes it exploitable?  (Hint - I suggest you
go look at the number of git commits done during the average -rc1 kernel
lately, and figure out where the manpower will come from).

Or go trawling through the linux-kernel archives, and see how many times I've
reported an Oops or panic or hang (the answer is "so many I've lost count").
Yes, I probably should have (in your world) gotten some big splashy "security
advisory" out.

But you know what?  *IT* *DOESN'T* *ACTUALLY* *MATTER* *IN* *THE* *REAL* *WORLD*.
Just yesterday, I was talking on IRC to a rather clued individual, who was
still running 2.6.18 or so - because he had mission-critical custom patches
that hadn't been migrated to 2.6.25 yet.

And that's the *clued* user.  The *average* user, even a non-Windows one,
wouldn't know how to correctly deal with a security advisory unless it bit
them on the ass.  Literally.  The vast majority of them simply install updates
when they show up from their distro.  They don't know how to build their own
kernel, they can't analyze the threat model coherently, so it basically
changes into "I'll install it when it shows up in the GUI window of my distro's
patch manager".

The percentage of users that a more detailed bug announcement would actually
help is probably on the order of 0.05% or so.  The *other* 99.95% of them,
it's "A new update is available. Install? ( ) Yes   ( ) No".

OK, so we do Linux bugfix announcements the way *you* recommend.

Now suggest something *workable* for the *other* 99.95% that will *still*
be vulnerable.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]