Date: Wed, 16 Jul 2008 09:44:37 -0400
From: spender@...ecurity.net (Brad Spengler)
To: dailydave@...ts.immunitysec.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Linux's unofficial security-through-coverup policy

Hi all,

I doubt many of you are following the "discussions" (if they can be 
called that) that have been going on on LWN for the past couple weeks 
regarding security fixes being intentionally covered up by the Linux 
kernel developers and -stable maintainers.  Here are some references:

http://lwn.net/Articles/285438/
http://lwn.net/Articles/286263/
http://lwn.net/Articles/287339/
http://lwn.net/Articles/288473/
http://lwn.net/Articles/289805/

The Linux kernel has a formal policy in Documentation/SecurityBugs which 
states under Section 2 Disclosure:
"We prefer to fully disclose the bug as soon as possible."

However, their policy in reality is quite different, as you can see for 
yourself in the "discussion" going on now on LKML:

http://marc.info/?t=121507404600023&r=1&w=2

Some choice quotes from Linus that reflect how sad the current state is:
http://marc.info/?l=linux-kernel&m=121617056910384&w=2
(on commenting about what he would allow to be included in a commit 
message)
"I literally draw the line at anything that is simply greppable for. If 
it's not a very public security issue already, I don't want a simple 
"git log + grep" to help find it."

http://marc.info/?l=linux-kernel&m=121613851521898&w=2
(when talking about the security backports Linux vendors provide for 
customers)
"And they mostly do a crap job at it, only focusing on a small 
percentage (the ones that were considered to be "big issues")"

They seem to have the impression that people who find an exploit kernel 
vulnerabilities rely on the commit messages fixing the vulnerability 
including some mention of security.  As it should be clear to anyone 
actually involved in the security community, or anyone who has ever 
written an exploit (particularly for the myriad silently fixed 
vulnerabilities in Linux), this is far from reality.  The people who 
*do* rely on these messages and announcements however are the smaller 
distributions and individual users.  Yet Linus et al believe they're 
helping you by pulling the wool over your eyes regarding the exploitable 
vulnerabilities in their OS.

To illustrate the point, in the 2.6.25.10 kernel, the following fix was 
included with the commit message of:
Roland McGrath (1):
      x86_64 ptrace: fix sys32_ptrace task_struct leak

The kernel was released with no mention of security vulnerabilities in 
the announcement, only "assorted bugfixes".

Put simply, it only took about an hour or so to develop a PoC for this 
exploitable vulnerability which affects 64bit x86_64 kernels since 
January.  So since the time of the fix itself (or even before that if 
someone spotted it before the kernel developers did themselves) users 
have been at risk.  Yet in the imaginary world they live in, these 
kernel developers think they're protecting you from that risk by not 
telling you what you're vulnerable to.

Please let them know what you think of their policy of non-disclosure 
and coverups.  I hope someone also educates them on their ridiculous 
notion of "untrusted local users" like Greg uses in his announcement of 
the 2.6.25.11 kernel:
http://lwn.net/Articles/289804/

If you remain complacent about the state of affairs, you're only 
enabling them to continue their current misguided foolishness.

-Brad

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists