poor social estrategy
Posted Jan 8, 2005 14:33 UTC (Sat) by PaXTeam
In reply to: poor social estrategy
Parent article: grsecurity 2.1.0 and kernel vulnerabilities
a bit late, but for the record:
the grsecurity announcement you can see here is *not*, i repeat, *not* the same as the bugreports that Spender or me sent (and kept resending) Linus and/or Andrew. the announcement quotes my own mail verbatim towards the end (it even says so... did anyone bother to read that at all?), and i don't think it had anything offensive in it. my personal gripe is that for 3 weeks not a single acknowledgement arrived in my mailbox, i don't think that's the way the chief developers are supposed to handle security issues (however small or irrelevant they may have been in this case - it takes a one liner to tell us so). as for going to other persons - who would that be? i don't want to talk to anyone i don't personally trust, and this immediately excludes the vendor-sec subscribers (observe the uselib() bug leak). anyone else left? with that said, i personally didn't agree with the chastising of their procedure (or rather, lack thereof) in public, but then it wasn't my announcement either.
as for Andrew's comment about anyone being able to DoS a linux box with malloc/memset... that attitude of downplaying bugs is pretty sad if he really meant it (and if true, that's a pretty sad state of affairs for linux). for one, we have CONGIG_SWAP, vm accounting and the OOM killer for a reason, second, there's no built-in recovery mechanism for the mlock/expand_down bug, so it is more serious than this malloc/memset issue.
to post comments)