Quote of the week

[Posted October 17, 2006 by corbet]

Wow, who'd have thought that loading 6 megabytes of unauditable code into your kernel and X server might be a bad idea? It's almost like code running as root was some sort of potential security issue, or something.

-- Matthew Garrett

to post comments

Quote of the week

Posted Oct 19, 2006 19:58 UTC (Thu) by sbergman27 (guest, #10767) [Link] (12 responses)

Isn't this the first exploit in 5 years, though?

How many OSS projects can claim that?

Not to be anti-OSS, but fair's fair, right? We wouldn't stand for NVidia jumping up and pointing out, every time an exploit in OSS code is found, that it's easier for crackers to find them if they have the code.

I see no point in throwing mud at their other wise quite good security reputation based upon one relatively rare incident, regardless of whether their code is open or closed.

Quote of the week

Posted Oct 19, 2006 21:31 UTC (Thu) by stuart (subscriber, #623) [Link] (7 responses)

Apart from the fact they've known about it for at least 18 months.

Also there is still no official fix. One can upgrade to a "BETA" driver, which might fix it but there's been no offical word, the beta driver is not even available from nvidia.com

Open-source projects may have problems but I'd say the vast majority fix security problems (even if that's by way of accepting a 3rd party patch) as soon as they are made aware of the problem. Particularly projects which have such privileges on the system as the kernel and X11.

Quote of the week

Posted Oct 19, 2006 23:09 UTC (Thu) by einstein (subscriber, #2052) [Link] (5 responses)

The beta driver has been available from nvidia for some weeks now. I simply downloaded it from their ftp site, and it's been running nicely. Actually I downloaded 1.0-9625 in September, and went back for 1.0-9262 last week or so.

Quote of the week

Posted Oct 19, 2006 23:11 UTC (Thu) by einstein (subscriber, #2052) [Link]

typo, make that 1.0-9626....

Quote of the week

Posted Oct 20, 2006 3:13 UTC (Fri) by grouch (guest, #27289) [Link] (3 responses)

The beta driver has been available from nvidia for some weeks now. I simply downloaded it from their ftp site, and it's been running nicely. Actually I downloaded 1.0-9625 in September, and went back for 1.0-9262 last week or so.

By "running nicely", do you mean you have audited the code and confirmed that the vulnerability being reported has indeed been fixed and that no others exist in the code at this time?

Quote of the week

Posted Oct 20, 2006 6:44 UTC (Fri) by sbergman27 (guest, #10767) [Link]

Presumably you've done this with the OSS nv driver? Detailed results, please?

Quote of the week

Posted Oct 21, 2006 18:29 UTC (Sat) by sbergman27 (guest, #10767) [Link] (1 responses)

It's been a day and a half since my previous post and I'm still interested in the results of your code audit.

Of course, you may not have an NVidia card and thus may have no motivation to audit the OSS nv driver. Perhaps you could supply your results from the driver for the chipset you *do* have? I would be interested in that as well.

Or perhaps just a link to the results of someone else's code audit of the OSS nv driver?

"Many Eyes" only make "All Bugs Shallow" if any of those eyes actually bother to look.

Quote of the week

Posted Oct 26, 2006 0:47 UTC (Thu) by leoc (guest, #39773) [Link]

Which exploit in the open source nv driver are you referring to exactly?

Quote of the week

Posted Oct 20, 2006 4:49 UTC (Fri) by dberkholz (guest, #23346) [Link]

That's not true, it was a misunderstanding on the part of the advisory authors.

See http://lists.freedesktop.org/archives/xorg/2006-October/0... for more detail.

Quote of the week

Posted Oct 21, 2006 0:18 UTC (Sat) by intgr (subscriber, #39733) [Link] (3 responses)

Consider that:
(1) Video driver code is uninteresting for crackers since there are so many levels of indirection between the network/file formats and the graphics driver, that even if a bug was found, it will likely be impossible to exploit without direct access to the computer or the X server.
(2) Binary BLOBs take *much* more effort to audit since all the attacker has is the assembly code - which has to be reverse engineered and understood first.

Given these conditions that make auditing binary video drivers particularly unattractive, I think it's grossly unfair to compare it to an average piece of OSS code.

Quote of the week

Posted Oct 21, 2006 14:02 UTC (Sat) by mday_ii (guest, #25315) [Link] (1 responses)

I was first exposed to the acronym "BLOB" in the late 80's by RDBMS developers. It meant "Binary Large OBject." Hence when I see "Binary BLOB" I read it as "Binary Binary Large Object."

Quote of the week

Posted Oct 21, 2006 17:57 UTC (Sat) by dirtyepic (guest, #30178) [Link]

try Binary Bigasshuge Large OBject

Quote of the week

Posted Oct 21, 2006 18:40 UTC (Sat) by sbergman27 (guest, #10767) [Link]

If I understand you correctly, you are saying that closed source code is inherently more secure than OSS code.

Quote of the week

Posted Oct 20, 2006 14:12 UTC (Fri) by arjan (subscriber, #36785) [Link]

why bother about the binary blob part if the "open" wrapper already shows that this driver has "give me more privileges" ioctls....