Not so fast
Posted Jun 18, 2008 6:57 UTC (Wed) by man_ls
In reply to: Not so fast
Parent article: Stable kernel 22.214.171.124 released
where did we suggest that 'our way' is to unleash full blown exploits on the unsuspecting
public in order to stress the bug's importance?
I think my scenario (find vuln, exploit it, publish and get CVE id, then send commit with CVE in message) is almost as dangerous without a published exploit. I can see why giving this kind of information away in the kernel commits (even a CVE id) scares people. I don't think it was a misrepresentation, but whatever.
FYI, every one of the commits we brought up had been
discussed on either the kernel security list or vendor-sec.
If it is vendor-sec then Documentation/SecurityBugs does not apply. When it is the kernel security list it applies, but this policy document doesn't say what you seem to think it says. It clearly states that kernel security officers will disclose what they are told as they see fit, and anyone reporting the bug cannot rely on secrecy upon their part.
From what we have seen bugs are disclosed, just not the way you like. You are getting all worked up because commit messages do not reflect the kind of information you would like to be there, and that is fine, but it does not follow from the document that it should be there. "Full disclosure" is not "crying wolf".
does your definition of 'minor' also match that of the rest of the world?
In this thread we have seen a bug which cannot be exploited ("still, this pattern is dangerous, someone had better
audit the code for it."), another one only exploitable by root and a local DoS (i.e. a crash). I sincerely hope the rest of the world also thinks these things are minor.
says who? 'man_ls' or is it the agreed-upon kernel policy?
I say that security professionals who rely upon kernel commits to perform security assessments are crazy. If you think it is sound professional conduct, let me know where you get your security. If for "agreed-upon kernel policy" you are referring again to Documentation/SecurityBugs, then you are still deluding yourself. Where does it say that "kernel commits will contain all available information for security professionals"? Bugs are disclosed and that is what they agreed to.
to post comments)