Linux Local Privilege Escalation via SUID /proc/pid/mem Write (zx2c4)
Posted Jan 26, 2012 15:45 UTC (Thu) by patrick_g
In reply to: Linux Local Privilege Escalation via SUID /proc/pid/mem Write (zx2c4)
Parent article: Linux Local Privilege Escalation via SUID /proc/pid/mem Write (zx2c4)
>> So far I have seen precious few people actually discussing the substance of the disagreement, the pros and cons of disclosure, the consistency or inconsistency of how known security bugs are handled compared to known filesystem corruption or performance regression bugs.
About this point I found this citation from Linus Torvalds very interesting:
« So my personal opinion is that the only sane approach is to just realize that it's not a solvable issue, and just treat bugs as bugs. We try to avoid having them in the first place, but when they do happen, we fix them. And we fix them without shouting from the rooftops about the details about how to exploit the issue, and without even trying to make it easy for the people who might want to try to exploit things to find them. And yes, that can very much involve not saying everything we know about how to exploit the bug in the changelog, or even necessarily pointing out that there is an advisory about it.
Do security people always agree with me? Hell no. But they don't agree amongst themselves either, so what does that prove?»
to post comments)