User: Password:
|
|
Subscribe / Log in / New account

Kernel security, year to date

Kernel security, year to date

Posted Sep 12, 2008 9:52 UTC (Fri) by nix (subscriber, #2304)
In reply to: Kernel security, year to date by eteo
Parent article: Kernel security, year to date

Well, there's 91b80969ba466ba4b915a4a1d03add8c297add3f and
27df6f25ff218072e0e879a96beeb398a79cdbc8 from the current stable tree. Now
neither actually say the Magic Word 'security', but anyone who's using an
upstream kernel who doesn't recognise that a buffer overrun is a security
concern *deserves* to be broken into for utter stupidity, IMNSHO.

They don't have CVE numbers and perhaps the authors didn't even bother to
isolate the commit that introduced the problem. How terrifying, I'm sure
the fix is much worse as a consequence.

Naturally some bugs have nothing mentioned in the changelogs: not everyone
cares to mention them, not everyone who fixes such a bug knows it is
security fixes at the time they're fixed, and so on.

Haven't we done this whole tiresome argument before? :/


(Log in to post comments)

Kernel security, year to date

Posted Sep 12, 2008 10:03 UTC (Fri) by eteo (guest, #36711) [Link]

> They don't have CVE numbers and perhaps the authors didn't even bother to

They have CVE names now. CVE-2008-3915 for commit 91b80969, and CVE-2008-3911 for commit 27df6f25.

> isolate the commit that introduced the problem. How terrifying, I'm sure
> the fix is much worse as a consequence.

I don't really understand what you are trying to say.

Kernel security, year to date

Posted Sep 12, 2008 10:10 UTC (Fri) by nix (subscriber, #2304) [Link]

The drumbeat here has been that security problems which aren't a)
identified as such with the magic word 'security' and b) don't have CVE
numbers shouldn't even have their fixes committed in case the bad guys
spot the fix (as far as I can tell). I'm trying to point out that even
when they're not identified as such, it's often quite easy to identify
them.

Kernel security, year to date

Posted Sep 12, 2008 23:34 UTC (Fri) by bfields (subscriber, #19510) [Link]

They don't have CVE numbers and perhaps the authors didn't even bother to isolate the commit that introduced the problem.
09229edb68a3961db54174a2725055bd1589b4b8 and dc9a16e49dbba3dd042e6aec5d9a7929e099a89b.
How terrifying, I'm sure the fix is much worse as a consequence.

I don't think knowing the original commits would help much with the fixes in this particular case, but if you see any problems, speak up. I agree that including the commit id's of the original commits would have been a good idea, and I'll try to do that in the future.

And if I could make a request for next time: could you please (please!) respond by email instead of lwn comments? Preferably cc'd to the relevant public lists, but if for some reason you just can't stand the idea of sending email to vger lists, then private mail will work too.

Kernel security, year to date

Posted Sep 12, 2008 23:46 UTC (Fri) by nix (subscriber, #2304) [Link]

I didn't email you about this because I didn't think you'd done anything
which needed to change: you fixed a bug, and that's great. Obviously you
knew these fixes had security implications because you said so, and, to
me, that's enough.

(I *was* being somewhat sarcastic. Of course the fix isn't worse because
of the wording of the log message! :) )

Kernel security, year to date

Posted Sep 13, 2008 2:51 UTC (Sat) by bfields (subscriber, #19510) [Link]

you fixed a bug, and that's great.

Yeah, well, but I'm also the one that introduced the more serious of those two bugs (and failed to catch the other in review). Urgh.

I *was* being somewhat sarcastic.

OK! I think it's a reasonable request to include the commit id's that introduced the bugs, though.

Kernel security, year to date

Posted Sep 13, 2008 3:00 UTC (Sat) by bfields (subscriber, #19510) [Link]

(And, right, sorry, I see the sarcasm now. I got a little lost in the conversation there. More sleep needed!)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds