Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20171113145336.GA23241@openwall.com>
Date: Mon, 13 Nov 2017 15:53:36 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Security risk of server side text editing in general and vim.tiny specifically

On Fri, Nov 03, 2017 at 11:07:14AM +0000, Fiedler Roman wrote:
> PS: POC for vim.tiny on Ubuntu Xenial to overwrite arbitrary files as user root when editing file in directory owned by other user is available on request, disclosure after one week or if list discussion indicates other timing.

Please post this PoC in here ASAP.  Right now, you're in violation of
distros list policy for having posted the PoC in there yet not made it
public on oss-security within 7 days after posting about the issue
itself in here.  Please correct this.  (To me this is also an example of
misuse of the distros list, and then of the ability to delay posting the
PoC - creating administrative work for all of us out of thin air.)

The policy:

http://oss-security.openwall.org/wiki/mailing-lists/distros#list-policy-and-instructions-for-reporters

"If you shared exploit(s) that are not an essential part of the issue
description, then at your option you may slightly delay posting them to
oss-security but you must post the exploits to oss-security within at
most 7 days"

Also, it looks like Gentoo and Amazon failed to track this and remind
you on November 10.  They should have, as per:

http://oss-security.openwall.org/wiki/mailing-lists/distros#contributing-back

"12. If exploit(s) were shared on the list, make sure that either
they're included in the oss-security posting along with the issue detail
or the posting includes an announcement of planned later posting of the
exploits (with the delay being within list policy), and in the latter
case also make sure that the later posting is in fact made as planned,
and remind the reporter if not - primary: Gentoo, backup: Amazon"

So at least this worked as an almost failed test of our handling of this
little administrative task.  Maybe on some other occasion it would be
actually important, so let's debug and fix it now.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.