|
Message-ID: <20170621135727.GA12852@openwall.com> Date: Wed, 21 Jun 2017 15:57:27 +0200 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: Qualys Security Advisory - The Stack Clash On Wed, Jun 21, 2017 at 08:25:26AM -0400, Brad Spengler wrote: > Finally, one thing I noted was missing from Solar's timeline is that > on May 18th, the day after the private distros list was notified with > details, this commit appeared in public: > https://github.com/openbsd/src/commit/4ed6bfeac112229466414b94cdbd983fb8017796 IIRC, they also committed a relevant fix to their qsort(). > OpenBSD publishing this commit, in combination with Solar making repeated > mentions here on oss-sec about a cross-OS issue being worked on was enough > for me to know that the underlying issue being discussed was what we had > widely discussed publicly in 2010 on LWN and elsewhere. What's the official > explanation for this, and is any action being taken for what I assume is a > member of the private list breaking the embargo? OpenBSD isn't a member of the distros list - they were notified by Qualys separately. This matter was discussed, and some folks were unhappy about OpenBSD's action, but in the end it was decided that since, as you correctly say, the underlying issue was already publicly known, OpenBSD's commits don't change things much. Sure this draws renewed attention to the problem, but probably not to the extent and in the many specific ways the Qualys findings cover. So it was decided to keep the embargo on the detail. Ditto for the "move mmap_area and PIE binaries away from the stack" patch series posted to LKML and CC'ed to kernel-hardening on June 2: http://www.openwall.com/lists/kernel-hardening/2017/06/02/ which might have been inspired by Qualys work known to Red Hat engineers internally. A difference is that Red Hat is a member of the distros list. I brought this up on the distros list, and another Red Hat person said "We'll deal with this internally." Given the circumstances, I find this response satisfactory. I am far more concerned about the total embargo duration here than about these two semi-leaks. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.