Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAHQ_-nSt-YAyuSpjtFAe1Pvi9txYT7Z7kCT8j3nT4BjrqHOqCw@mail.gmail.com>
Date: Thu, 26 May 2022 11:17:52 -0700
From: Philip Pettersson <philip.pettersson@...il.com>
To: oss-security@...ts.openwall.com
Cc: Solar Designer <solar@...nwall.com>, peterz@...radead.org, nslusarek@....net
Subject: Re: CVE-2022-1729: race condition in Linux perf
 subsystem leads to local privilege escalation

Hi Norbert & list,

On Tue, May 24, 2022 at 3:23 PM Norbert Slusarek <nslusarek@....net> wrote:
> I don't intend to share the exploit to the public, mainly because
> the issue was fixed only few days ago. Instead, anyone wanting to check
> his own system for the bug should resort to the attached PoC repro.

I think it's important to remember that closed mailing lists filled
with private/embargoed exploits become valuable targets. They have
been compromised ever since Zardoz in the 1980s, vendor-sec was
discontinued for the same reason. By keeping zerodays in linux-distros
you paint a target on every recipient of the list. You should assume
that any working exploit code you share to a mailing list will
eventually fall into the hands of bad actors. Therefore, I don't think
selective full-disclosure works.

Regards,
Philip

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.