How Badlock was discovered and fixed
How Badlock was discovered and fixed
[Security] Posted Apr 18, 2016 13:14 UTC (Mon) by corbet
This
post on the Red Hat Enterprise Linux blog describes the discovery and
repair of the "Badlock" vulnerability. One begins to understand a little
better why it took as long as it did. "The code was rewritten; in
March 2016 the changes needed to fix all eight CVEs amounted to about 200
individual patches against a development version of Samba, with about half
of those responsible for fixing CVE-2015-5370. When backported to previous
stable Samba versions, they needed additional hundred patches. To oldest
supported Samba version — about four hundred patches. What started as an
individual snowflake became an avalanche but it wasn’t finished
yet.
"