Linux 2.6.30 exploit posted

Linux 2.6.30 exploit posted

Posted Jul 19, 2009 19:26 UTC (Sun) by vonbrand (subscriber, #4458)
In reply to: Linux 2.6.30 exploit posted by spender
Parent article: Linux 2.6.30 exploit posted

Sorry, but I have to agree that a code snippet with a rather vage description is next to useless. And the commit you have issues with could very well be "independent invention" (or, for terminally paranoids, somebody took your snippet and made it into a complete example).

So you found a collection of bugs that in total turn out to be an serious, exploitable vulnerability. Commendments, more power to you! That some pieces (which by themselves alone aren't exploitable) aren't taken too seriously was to be expected, given the above. No "sweeping under the rug" here.

Please consider that there are tens of thousands of changesets flowing into the kernel each release cycle. If a few turn out to have exploitable bugs, it is a huge success ratio. Sure, this is sadly not enough.

Also, not everybody finding and fixing a problem is able to (or even interested in) finding out if the bug was a security problem, and even much less in developing exploit code. That very few bug fixes are labeled "Security risk" is to be expected, no dark coverup to be suspected here.

---

to post comments

Linux 2.6.30 exploit posted

Posted Jul 30, 2009 13:57 UTC (Thu) by lysse (guest, #3190) [Link]

> somebody took your snippet and made it into a complete example

Or someone did what I've done myself in the past - tersely pointed out "useless bug report is useless", but then thought "oh, but hang on, what if there *is* a problem there?" and gone digging around themselves until they realised what the issue was and fixed it.

There's always another option, and there's always another way it could have happened.