> For me, the main issue here is this: are these things real security problems or not?
It's not as simple. Security means everything and nothing at the same time. There are people
who consider security only about risk of intrusion. Other people consider the risk of remote
or local DoS. Others the risk of data leak. If we want to be picky, everything which can
permit a non-privileged user to cause a malfunction resulting in a degradation of performance,
integrity, availability, confidentiality or traceability is a security issue.
As you can see, the smallest driver bug can become a security issue. If someone plugs an
usb-serial cable into a machine and makes it crash, it is a security issue if it is normally
not allowed to enter this machine.
Brad tends to be particularly picky about security issues (and it is good to have someone who
really sees a lot of risks as he does). Other people like Al Viro consider that anything which
requires root to impact the security is not a problem, because once your box is rooted, you
have lost. These differences explain why a lot of bugs are not marked as security issues and
are complained about afterwards.
Another example I reported a long time ago : make a chroot, mount /proc into it, install a
shell there, chroot overthere, then "cd /proc/1/cwd". Bingo, you're out of the chroot. Some
people say that since this "cd" already requires to be root, it's not an issue. Others
(including myself) consider it is an issue. It's just a matter of point of view unfortunately.
Overall, I think the security issues are correctly taken by the middle chain (2.4 and
2.6-stable), but the fact that information sometimes gets lost at the starting point makes it
difficult to dig for the whole thing. It depends on who reported the issue and how it was
merged into mainline in fact. Sometimes, big security fix will get immediately merged, even
before a CVE gets assigned. But those ones are not the most difficult to track.
The most difficult ones are the ones which require special knowledge in a specific area and
which are not covered as security problems by the person who initially fixes them (by lack of
knowledge too). This is often the case with drivers.