LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

A /proc/PID/mem vulnerability

A /proc/PID/mem vulnerability

Posted Jan 26, 2012 20:06 UTC (Thu) by vonbrand (subscriber, #4458)
In reply to: A /proc/PID/mem vulnerability by PaXTeam
Parent article: A /proc/PID/mem vulnerability

Oh, come on. "There is a exploit out for a widely-discussed security bug" is not the same as "there is an expoit out there for each and every security bug." As long as you can't reasonably know if to publish any hint of possible security impact or just keep it quiet is the better course of action.

(Log in to post comments)

A /proc/PID/mem vulnerability

Posted Jan 26, 2012 22:34 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]

> "There is a exploit out for a widely-discussed security bug" is not the
> same as "there is an expoit out there for each and every security bug."

strawman and also an irrelevant tautology.

> As long as you can't reasonably know if to publish any hint of possible
> security impact or just keep it quiet is the better course of action.

real life says that you can reasonably know that there's an entire industry, both visible and invisible, out there that is watching and writing exploits as soon as they can get their hands on a bug, be that at bug commit time or later (the sooner the better as the value of 0-day beats anything else).

on the other hand the best course of action for users of said buggy code to save themselves is to fix the bugs (yes, i'm stating this myself despite being deeply involved in intrusion prevention technologies). for that they need to know about them, simple as that. covering up security fixes is diametrically opposite to that goal as it makes it much harder for users to reverse engineer the information from the commits whereas said industry has the brainpower to see through these silly attempts (as i said above, commits from Linus and certain other individuals draw immediate attention these days, witness what happened to this /proc/pid/mem bug).

btw, if you think keeping quiet about security impact information is the right course of action, what do you think about companies (linux vendors included) who do exactly that?

PS: i'm glad you stopped doubting that there *is* a coverup. you've come a long a way ;).

A /proc/PID/mem vulnerability

Posted Jan 26, 2012 23:01 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]

> [...]who do exactly that?

err, i obviously meant 'who do exactly the opposite' ;).

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds