Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <YpC1emS62JHunSQm@dojo.mi.org>
Date: Fri, 27 May 2022 07:26:50 -0400
From: "Mike O'Connor" <mjo@...o.mi.org>
To: oss-security@...ts.openwall.com
Cc: Solar Designer <solar@...nwall.com>, peterz@...radead.org,
        nslusarek@....net
Subject: Re: CVE-2022-1729: race condition in Linux perf
 subsystem leads to local privilege escalation

:I think it's important to remember that closed mailing lists filled
:with private/embargoed exploits become valuable targets. They have
:been compromised ever since Zardoz in the 1980s, vendor-sec was
:discontinued for the same reason. By keeping zerodays in linux-distros
:you paint a target on every recipient of the list. You should assume

Every recipient and their upstream providers.

:that any working exploit code you share to a mailing list will
:eventually fall into the hands of bad actors. Therefore, I don't think
:selective full-disclosure works.

Long ago, I suggested that such mailing lists should PLAN to be public
eventually, and disclose the info themselves before someone beats them
to it.  For example, when June comes up, April linux-distros archives
are made public, and that's advertised and known.  Given its two week
max embargo period, this shouldn't pose an issue for anyone.  There is
value in (eventually) seeing the sausage being made.  I know Solar has
made old linux-distros mailing list metadata public, has advised folks
that "any/all list postings may be made public once the corresponding
security issue is publicly disclosed".  I suggest "may" become "will
eventually".  


Take FWIW...
-Mike

-- 
 Michael J. O'Connor                                          mjo@...o.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"Passion is the enemy of precision."                              -Daryl Zero

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.