User: Password:
|
|
Subscribe / Log in / New account

A /proc/PID/mem vulnerability

A /proc/PID/mem vulnerability

Posted Feb 8, 2012 7:41 UTC (Wed) by Duncan (guest, #6647)
In reply to: A /proc/PID/mem vulnerability by alonz
Parent article: A /proc/PID/mem vulnerability

Not that many will ever read this far down even if they come across the article via google or whatever at this late date, but...

What is there about ...

"isn't very robust.. doesn't match the permission checking... This changes ... permission checks"

... that does not SCREAM security vuln? To me it certainly does!

I mean, what is one /doing/ "permissions checks" for if not for security? Otherwise they'd be something else, data validity checks, maybe. But if they're permissions checks, then by implications there's something there to be secured BY those permissions checks.

And if the simple phrase "permission checks" isn't enough to get someone investigating, surely adding "isn't very robust... changing" to the mix, when the context is "permission checks" should do so!

If I say my bank account isn't very robust and that I'm working to change it, who wouldn't read that as a saying I lack money but am trying to change it? If I say the permission checks aren't very robust and that they're being changed, how on earth can it mean anything BUT "THIS COMMIT HAS POTENTIAL SECURITY IMPLICATIONS!"? (Yes, to me it's SHOUTING, so the caps are warranted.)

Duncan


(Log in to post comments)

A /proc/PID/mem vulnerability

Posted Feb 11, 2012 19:56 UTC (Sat) by alonz (subscriber, #815) [Link]

Yes, the changelog doesn't competently hide that there are security issues.

But it does hide the specific vulnerability in the previous code. So it's really useless for educating the next generation. (Unless you believe whoever next touches this code will magically understand what the real issue is…?)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds