LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for September 4, 2008

The Kernel Hacker's Bookshelf: UNIX Internals

DRI, BSD, and Linux

SCHED_FIFO and realtime throttling

LWN.net Weekly Edition for August 28, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Stability v. security fixes

Stability v. security fixes

Posted May 10, 2007 7:42 UTC (Thu) by mjcox@redhat.com (subscriber, #31775)
Parent article: Stability v. security fixes

The cpio issue isn't running cpio on untrusted data, the overflow is in the filename handling, so you'd need to run cpio on a rather suspicious looking filename (where the filename contains the trigger for this issue, shellcode etc)

You can find out what issues we've deferred at any point in time by doing a bugzilla query against the product of interest where Keyword = "Security". We now also publish statements directly into the National Vulnerability Database (nvd.nist.gov) for these issues.

Where a package has been selected for the Update for some other reason (in
the cpio case to fix a couple of bugs), we'll also take that opportunity to
include fixes for any security issues we previously deferred. Whenever we include a fix for a security issue, even a low severity one, in
an Update release, we will promote it to a security update and include the CVE; even if it does mean we'll end up as being counted as fixing more vulnerabilities or having longer days of risk metrics for these low severity issues.

(Log in to post comments)

Stability v. security fixes

Posted May 10, 2007 8:12 UTC (Thu) by addw (subscriber, #1771) [Link]

The only reason why you may want to delay outputting a fix is if it might break something else; ie the fixed version is in some way incompatible with the previous version.

I would really doubt that the fixed cpio would break any backup/... script, so what is the harm in releasing it?

One of the reasons for paying for RedHat is the nice warm feeling that you are being looked after. If fixes are delayed like this you are allowing a cold draft into the blanket.

Stability v. security fixes

Posted May 10, 2007 14:50 UTC (Thu) by uravanbob (subscriber, #4050) [Link]

Actually, my industrial customers see ANY change as a requirement to recertify the software - this is of course very expensive. It is not always a completely rational view, but then it is their systems that they are making the decisions for. In this case we are talking about security fixes for problems that rate very low on the risk scale - security is very much a risk management game, so as long as RH makes these fixes available to those who feel they need it, I see no cause for complaints other than that RH is penalized in the counting game.

As a developer, it is very frustrating when a user wont apply a patch, however it is even more annoying when a 'minor - should not affect anything' change has major consequences because well, we're human and screwed up somewhere.

Stability v. security fixes

Posted May 10, 2007 17:06 UTC (Thu) by dlang (subscriber, #313) [Link]

the complaint people are makeing is that RedHat didn't make these patches available for a long time (over a year in several cases)

Stability v. security fixes

Posted May 10, 2007 8:27 UTC (Thu) by mjcox@redhat.com (subscriber, #31775) [Link]

(My team corrected me that the cpio issue is caused by a file with a carefully crafted rather large filesize, not filename -- see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=172669 )

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds