Re: [Full-Disclosure] [SECURITY] [DSA-403-1] userland can access Linux kernel memory

[Florian Weimer <fw@deneb.enyo.de>]

Roman Drahtmueller wrote:

> The fact that security-relevant bugs get found and fixed in an open,
> transparent and traceable way may be specific to Linux, yes. 

The changelog message was quite cryptic.  This is not the first time
something like this has happened. Most of the security professionals I
know are simply scared by the way the kernel developers and distributors
handle security issues.

> Vendor-sec contributes to this, and it has not failed in doing so.

Well, most people assume that vendor-sec has not been told about this
vulnerability.  (I don't know.)  Given that vendor-sec is the only
recommend and working contact address for security issues with Linux, I
would think that this is a failure of the vendor-sec model (i.e. the
kernel hackers deny any responsibility for security/critical bug fix
releases and require vendors to coordinate the disclosure kernel bugs
among each other).

If, contrary to the little evidence that is publicly available,
vendor-sec was informed during the usual pre-disclosure process, it
failed to react in a timely manner.  It might even have contributed to
the leakage of that exploit (see below).

So you and your users lose badly in both cases.

> The debian announcement only says that by the time that this bug was
> discovered, it was too late already for the 2.4.22 kernel release.

Another cre^Wgroup of researches publicly claimed that they had
discovered this issue and that their exploit might have leaked to the
underground.  The report might be phoney, or it could reflect an
independent rediscovery.

(Just for clarification: "Linux" is just the kernel.  There is quite a
bit of free software whose developers handle security issues in a more
responsible manner.)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html