« Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) | Main | Spring Framework vulnerabilities »

GRSecurity Author Outlines Lack of Full Vulnerability Disclosure by Linux Kernel Developers

From the 'If you don't know, now you know, !@#$!' department


The following email was sent to the full disclosure mailing list today by Brad Spengler, the author of GRSecurity.

"I doubt many of you are following the "discussions" (if they can be called that) that have been going on on LWN for the past couple weeks regarding security fixes being intentionally covered up by the Linux kernel developers and -stable maintainers. Here are some references:

http://lwn.net/Articles/285438/
http://lwn.net/Articles/286263/
http://lwn.net/Articles/287339/
http://lwn.net/Articles/288473/
http://lwn.net/Articles/289805/

The Linux kernel has a formal policy in Documentation/SecurityBugs which states under Section 2 Disclosure: "We prefer to fully disclose the bug as soon as possible."

However, their policy in reality is quite different, as you can see for yourself in the "discussion" going on now on LKML:

http://marc.info/?t=121507404600023&r=1&w=2

Some choice quotes from Linus that reflect how sad the current state is: http://marc.info/?l=linux-kernel&m=121617056910384&w=2
(on commenting about what he would allow to be included in a commit message) "I literally draw the line at anything that is simply greppable for. If it's not a very public security issue already, I don't want a simple "git log + grep" to help find it."

http://marc.info/?l=linux-kernel&m=121613851521898&w=2
(when talking about the security backports Linux vendors provide for customers) "And they mostly do a crap job at it, only focusing on a small percentage (the ones that were considered to be "big issues")"

They seem to have the impression that people who find an exploit kernel vulnerabilities rely on the commit messages fixing the vulnerability including some mention of security. As it should be clear to anyone actually involved in the security community, or anyone who has ever written an exploit (particularly for the myriad silently fixed vulnerabilities in Linux), this is far from reality. The people who *do* rely on these messages and announcements however are the smaller distributions and individual users. Yet Linus et al believe they're helping you by pulling the wool over your eyes regarding the exploitable vulnerabilities in their OS.

To illustrate the point, in the 2.6.25.10 kernel, the following fix was included with the commit message of:
Roland McGrath (1):
x86_64 ptrace: fix sys32_ptrace task_struct leak

The kernel was released with no mention of security vulnerabilities in the announcement, only "assorted bugfixes".

Put simply, it only took about an hour or so to develop a PoC for this exploitable vulnerability which affects 64bit x86_64 kernels since January. So since the time of the fix itself (or even before that if someone spotted it before the kernel developers did themselves) users have been at risk. Yet in the imaginary world they live in, these kernel developers think they're protecting you from that risk by not telling you what you're vulnerable to.

Please let them know what you think of their policy of non-disclosure and coverups. I hope someone also educates them on their ridiculous notion of "untrusted local users" like Greg uses in his announcement of the 2.6.25.11 kernel: http://lwn.net/Articles/289804/

If you remain complacent about the state of affairs, you're only enabling them to continue their current misguided foolishness.

-Brad"

Email Thread Link: http://archives.neohapsis.com/archives/fulldisclosure/2008-07/0275.html

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.


All Comments are Moderated and will be delayed!


Post a comment







Remember personal info?