| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Jun 2008 10:28:56 +0400 From: Alexey Dobriyan <adobriyan@...il.com> To: Henrique de Moraes Holschuh <hmh@....eng.br> Cc: linux-kernel@...r.kernel.org Subject: Re: Linux 2.6.25.6 On Tue, Jun 10, 2008 at 08:06:45PM -0300, Henrique de Moraes Holschuh wrote: > On Tue, 10 Jun 2008, Alexey Dobriyan wrote: > > Person fixing a bug may not realize he fixes security-sensitive bug. > > That is a valid reason, I am pretty sure everyone here (including me) has > been guilty of that one. Which doesn't mean we can't do better to educate > ourselves on the patterns for the most common issues. The "fix for a > null-dereference to anything that has a function pointer in it" is such a > pattern. Sure. > > Or simply doesn't care because there are 5 more to fix for today. > > THAT, however, is unacceptable IMO. If one can't be bothered, or one > doesn't have the time (or the skill, whatever) to access the severity of a > fix, he should ask for someone to do that on the commit message. One extra > short sentence at the end of the commit message [asking for that help] is > DEFINATELY not too much to ask. I just realized crapload of NULL dereferences were fixed in /proc and near last couple of releases. They were never proposed for any -stable. And, in retrospective, they wouldn't have been marked as security sensitive. Do you read OpenBSD commit logs? -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists