Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20130226204241.GB19936@kludge.henri.nerv.fi>
Date: Tue, 26 Feb 2013 22:42:41 +0200
From: Henri Salo <henri@...v.fi>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request - Linux kernel: VFAT slab-based
 buffer overflow

On Tue, Feb 26, 2013 at 01:31:59PM -0700, Kurt Seifried wrote:
> I suspect part of the problem is scale. Most people don't understand
> the scale at which the Linux Kernel and vendors handle bug fixes and
> code changes. External people simply see a few poorly handled security
> related issues and probably think "well how hard can it be to properly
> a few extra security flaws?" but they don't see that those 5 security
> issues were buried in 10,000 other code fixes. The resources needed to
> audit every code change for a security impact simply aren't available
> (and even if we had enough talented people who exactly is going to pay
> them all?).

Why should they be paid? I'd say problem is that there isn't lots of people who
understand aspects needed to notice a security vulnerability in Linux kernel
and it's even more difficult to fix it without breaking something else.

Money is not the only thing getting stuff done.

--
Henri Salo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.