| |||||||||||||
Linux Local Privilege Escalation via SUID /proc/pid/mem Write (zx2c4)Linux Local Privilege Escalation via SUID /proc/pid/mem Write (zx2c4)Posted Jan 24, 2012 5:00 UTC (Tue) by raven667 (subscriber, #5198)In reply to: Linux Local Privilege Escalation via SUID /proc/pid/mem Write (zx2c4) by PaXTeam Parent article: Linux Local Privilege Escalation via SUID /proc/pid/mem Write (zx2c4)
> [...]so they would not be called out and people who only apply 'important' fixes would miss it.did you just say (not the first time, if memory serves, mind you ;) that by not telling people to apply known security fixes their security will somehow be better? ;) There is no need to address your other points, you have done a fine job on your own but on this point I can only believe you are pretending to not understand what was meant because you are attacking a straw man. The point that this statement refers to is that, hypothetically, if you have 8 bug fixes, 2 of which have known security implications and 4 of which have security implications that are unknown then telling people to only apply the two bugfixes leaves them more vulnerable then telling them to apply all 8. 6 is more than 2. We can have opinions on whether this approach makes sense, not announcing the 2 bugs you know about and just pushing for all 8 so as to get the 4 you don't know about, but we can't pretend not to understand what the two positions are that we are discussing.
(Log in to post comments)
Linux Local Privilege Escalation via SUID /proc/pid/mem Write (zx2c4) Posted Jan 24, 2012 11:01 UTC (Tue) by PaXTeam (subscriber, #24616) [Link]
i know full well what dlang's talking about and i've explained numerous times where he's right and where he's wrong. to go with your example, here's another situation:
imagine, hypothetically, if you have 8 bug fixes, 2 of which have known security implications (they fix them) and 4 of which have security implications (they introduce them) that are unknown then telling people to only apply the two bugfixes leaves them less vulnerable then telling them to apply all 8. -2 is less than 2.
so what did you try to say again? that we can fabricate arbitrary situations with arbitrary numbers that only prove that the world's not black&white but a shades of grey?
let me tell you (again) where your thinking is wrong: you're saying that people are *not* getting more secure by applying (known) security fixes *because* they could get (even) *more* secure by applying 'all fixes' (whose definition is yet to be determined btw). i hope you'll see one day how ridiculous this is, you *cannot* be worse off by fixing a known security bug. lest you now want to claim that *anyone* who didn't update to 3.3-rc1 (which no doubt contains more fixes than this security bug) is in error.
Linux Local Privilege Escalation via SUID /proc/pid/mem Write (zx2c4) Posted Jan 24, 2012 11:37 UTC (Tue) by tialaramex (subscriber, #21167) [Link]
"you *cannot* be worse off by fixing a known security bug"
Trivially false by your own logic. You can supposedly fix the known security bug and introduce a far worse one. This happens. You can also _think_ you've fixed the bug when you haven't, creating a false sense of security.
Linux Local Privilege Escalation via SUID /proc/pid/mem Write (zx2c4) Posted Jan 24, 2012 11:45 UTC (Tue) by PaXTeam (subscriber, #24616) [Link]
when we said 'fix bug' above we obviously meant 'fix bug for real and without introducing another one'. pay attention to the context next time, please ;).
Linux Local Privilege Escalation via SUID /proc/pid/mem Write (zx2c4) Posted Jan 24, 2012 14:18 UTC (Tue) by tialaramex (subscriber, #21167) [Link]
I look forward to seeing these new type of patches which always fix the entire problem however subtle and never introduce (or indeed re-introduce) other bugs. Until then, I hope you will agree that your hypothetical is bit too... hypothetical ?
Linux Local Privilege Escalation via SUID /proc/pid/mem Write (zx2c4) Posted Jan 24, 2012 15:11 UTC (Tue) by PaXTeam (subscriber, #24616) [Link]
you know, i'm beginning to really appreciate khim's post the other day where he mentioned the twitterbrain generation. are you seriously this challenged or just trolling around? do you understand that it wasn't *my* hypothetical situation that assumed perfect fixes but raven667's (as only that way can he/she arrive at his/her numbers). do you understand that i *intentionally* annotated my hypothetical situation with bracketed expressions exactly because i wanted to highlight that other real life situations may very well end up producing opposite numbers? IOW, your argument is not with me but i guess your brittle ego is still suffering from past losses and you thought it'd be a good time to take revenge. maybe next time? :)
Linux Local Privilege Escalation via SUID /proc/pid/mem Write (zx2c4) Posted Jan 25, 2012 11:48 UTC (Wed) by ekj (guest, #1524) [Link]
Yeah okay. If you apply a patch that "fixes the bug for real, and does not introduce any new bugs", then you cannot be worse off than you where initially, agreed.
How do you know if the patch you have in front of you is one of those ideal patches ?
Linux Local Privilege Escalation via SUID /proc/pid/mem Write (zx2c4) Posted Jan 25, 2012 13:24 UTC (Wed) by PaXTeam (subscriber, #24616) [Link]
> How do you know if the patch you have in front of you is one of those ideal patches ?
did you mean a general you or me personally? as for myself, if (i believe that) i know enough to determine this i will do so (e.g., i voiced my concerns regarding this particular case already), otherwise i do as anyone else would have to do: trust someone else. for kernel code i'm familiar with or for simple fixes (say, bounds checking a parameter) it's usually the former case, otherwise it's the latter. from my experience most attempts at fixing a problem turn out to be correct, very few introduce further problems or fix them inadequately (e.g., you can compare the number of CVEs fixing previous CVEs to the total number of CVEs to get an idea).
Linux Local Privilege Escalation via SUID /proc/pid/mem Write (zx2c4) Posted Jan 24, 2012 19:25 UTC (Tue) by raven667 (subscriber, #5198) [Link] you're saying that people are *not* getting more secure by applying (known) security fixes That's NOT what I'm saying at all and I don't think that's what the OP is saying either they could get (even) *more* secure by applying 'all fixes' That is what I understood the OP to mean and to be the position of the Linux dev team. All I'm trying to do here is get you to at least acknowledge you understand what your opponent is saying. so what did you try to say again? that we can fabricate arbitrary situations with arbitrary numbers that only prove that the world's not black&white but a shades of grey? WTF. My example was included merely to illustrate what was being said, not to take any position on the rightness or wrongness of it. You are way off the mark trying to criticize my example instead of the point it was trying to illustrate. you now want to claim that *anyone* who didn't update to 3.3-rc1 (which no doubt contains more fixes than this security bug) is in error I do get the impression that a lot of kernel developers wish that everyone would just run the current version and wouldn't muck around with "stable" versions and backported fixes although there is obviously enough interest to make a few stable versions.
|
|||||||||||||