Re: [ GLSA 200612-15 ] McAfee VirusScan: Insecure DT_RPATH

[<David_Coffey () McAfee com>]

Gentoo Security Team,

  On your security web page
(http://www.gentoo.org/security/en/index.xml), you make the following
statement about how you work with vendors in a professional manner: "We
work directly with vendors, end users and other OSS projects to ensure
all security incidents are responded to quickly and professionally."
This statement seems to contrast greatly your practice of not following
a "professional" responsible disclosure process; particularly, posting a
security issue only 8.5 hours after your initial report was confirmed by
McAfee and a mere 9 hours after you sent in your initial report.  

  Not following responsible disclosure places customers, both ours and
yours, at risk.  You put them at risk because you did not allow us even
a customary amount of time to make a fix available.  Now, the
information you posted could be used to create exploits, yet there is no
patch immediately available.  You apparently posted this information
without knowing or caring if there was a secure fix available for the
vulnerable users.  

This is not generally considered "responsible" practice.  If you are not
already aware, there are many responsible disclosure guidelines and
practices which have been published, like those outlined at
http://www.oisafety.org/ (we are founding members and adhere to these
guidelines).  These disclosure guidelines (or similar guidelines from
CERT and others) help protect the end user by both encouraging the
vendors to be responsive and making sure that there is a secure solution
available prior to disclosure.  Responsible disclosure is a good thing,
and we highly encourage you to adopt some form of it for your future
vendor interactions.  You seem to adopt some form of it for gentoo
related security issues, as it states on your vulnerability policy page
(http://www.gentoo.org/security/en/vulnerability-policy.xml), but you do
not seem to adopt it for issues in other vendor applications.

We regret that you felt the need to publish the vulnerability before we
could issue a fix to secure our users.  We are proceeding with
addressing this on our side as quickly as possible, as we would have, no
matter the timing of your disclosure.  At this point, we cannot commit
to a time frame, but it will be as soon as possible.  

   In another matter, McAfee disagrees with your statement that this is
a "high" severity issue, as the privilege of the executed code is not
raised from the privileges of the executing user.  In addition to this,
an attacker would have had to compromise the machine through another
mechanism in order to place the malicious library on the system.  

David Coffey
Manager of Product Security
McAfee, Inc.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/