Re: OpenBSD 2.9,2.8 local root compromise

[dmuz <dmuz () slatibartfast angrypacket com>]

On Fri, Jun 15, 2001 at 09:18:15AM +0200, Andreas Haugsnes said:

First off, I am in no way an official representative of OpenBSD, but I
feel that there is an unfair stigma against OpenBSD, and I want to
dispel that. I don't know if this will get through seeing as how it is
lacking "technical content" relevant to BUGTRAQ, but I think that if
people can post their *opinions* on OpenBSD and security issues, I
should be able to post my reply.

> I must say that I gasped and had to wipe sweat from my
> forehead when I read, tested and could confirm this
> exploit.

Do you do this every time an exploit comes out for any Linux vendor, or
Microsoft? You must have a sweaty forehead.

> The OpenBSD-team has known about this for -6- days (15th of June),
> and they haven't been able to come up with at least a temporary fix?

I'd like to know what method of notification Georgi used. Did he file a
confidential bug report, or did he just send an email to Theo? He could
have also sent an email to one of the mail lists, stating that he had
discovered a problem and could someone "in the know" contact him.

> I can't find anything on errdata / security warnings,
> what's up with that?

What's up with people acting like the sky is falling when any type of
exploit is released for OpenBSD? I'd be interested to see a graph of
released exploits for Operating Systems. Where do you think OpenBSD
would be on that chart in relation to others?

The reality is that the OpenBSD development team is small, and busy. And
yes this is a problem, and yes they were notified, and yes no officially
responded to this BUGTRAQ post and they did not have a patch ready to
go. Most of these developers are people just like you and me who have
jobs and work on OpenBSD because they enjoy it, and like the ideals
behind OpenBSD. No one is getting rich on doing this, believe me.

If what you desire is someone to be there for you night and day, to
have patch right away, you should probably be running another OS. I'm
not just saying that to be rude or refute the problem with a "go away"
attitude. I'm serious. 

In conclusion, OpenBSD never claimed that they were never going to be
vulnerable to security issues, and they promised that they would be able
to fix everything in a timely manner. But when I look at the
alternatives, for some reason I still prefer it. Go figure...

btw.. if you made it through my rant here is your reward:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/kern/kern_exec.c

-- 
dmuz
<dmuz.angrypacket.com>
<sec.angrypacket.com>