Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20150731085101.GB2142@localhost.localdomain>
Date: Fri, 31 Jul 2015 01:51:01 -0700
From: Qualys Security Advisory <qsa@...lys.com>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper -
 CVE-2015-3246 libuser

Hello, this is one last post to an otherwise-closed sub-thread (with the
list moderators' approval): our intention is not to re-open this thread,
but to address some of the questions that were raised, and to emphasize
a few important facts.

On Thu, Jul 23, 2015, Leif Nixon wrote:
> *Why* are you releasing a full exploit just minutes after the patch is
> released?

First, this was just another local userland exploit, and local userland
exploits are usually published at the same time as their corresponding
patches and advisories:

http://www.openwall.com/lists/oss-security/2015/03/26/1
http://www.openwall.com/lists/oss-security/2015/04/14/4
http://www.openwall.com/lists/oss-security/2015/04/22/12
http://www.openwall.com/lists/oss-security/2015/05/21/9
http://www.openwall.com/lists/oss-security/2015/05/21/10
http://www.openwall.com/lists/oss-security/2015/06/16/2

Second, the libuser bugs are no complicated memory-corruption bugs (no
ROP-chain or ASLR-bypass is needed): an exploit for the common case can
be written in well under an hour (roothelper.c is complicated only
because it handles all corner cases).

Third, the userhelper binary is NOT default on all Red-Hat-based
distros, but the chfn binary IS, which is why we purposely chose to
release our userhelper exploit, but NOT our chfn exploit.

On Fri, Jul 24, 2015, Stephan Wiesand wrote:
> Wild guess: Their customers had plenty of time to understand the issue
> and its impact, and to roll out either a fix or some mitigation. And
> thus an edge. Looks like "just business...".

We are not into that kind of business: the reason we internally audit
open-source code at Qualys is that it allows us to make our products and
infrastructure more secure, and it is a great way to contribute to the
open-source community.

When we contacted Red Hat about the libuser vulnerabilities, we sent
them both our advisory and our exploit, and they promptly replied with
two CVEs and patches for us to review.  We would like to thank Red Hat's
Security Response Team and developers for giving us the opportunity to
review the patches while they were being written, because the end-result
greatly benefited from this cooperation.

As for why Red Hat published their updates and patches one hour after
the Coordinated Release Date (and we published our advisory even later
than that), Kurt Seifried already answered this here:

http://www.openwall.com/lists/oss-security/2015/07/24/3

With best regards,

-- 
the Qualys Security Advisory team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.