lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHmME9o46z5G=RUfZeVTdQU4imLwkvvO1H2hrfjwR8Qpq=y3ew@mail.gmail.com>
Date:	Mon, 10 Aug 2015 15:31:24 +0200
From:	"Jason A. Donenfeld" <Jason@...c4.com>
To:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:	linux-kernel@...r.kernel.org,
	Dan Carpenter <dan.carpenter@...cle.com>,
	devel@...verdev.osuosl.org,
	Shigekatsu Tateno <shigekatsu.tateno@...el.com>,
	rupesh.gujare@...el.com
Subject: Ozwpan Driver: Removal Recommended

Hi Greg,

We spoke about this several months ago. Since then, there has been no
life from any of the maintainers or anybody at Atmel. Meanwhile Dan
Carpenter has posted a patch for a security vulnerability in ozwpan
that hasn't been reviewed or merged. There is nobody willing to
maintain it. And nobody who has relevant hardware has even said
"hello". All of my connections to ozwpan have yielded zero success in
trying to find a maintainer or anybody with even remote expertise.
Clearly this is dead in the water.

I would thus recommend you remove this buggy, insecure, and
unmaintained driver from the tree. It simply didn't pass the "staging
test".

Regards,
Jason

On Tue, Jun 2, 2015 at 1:35 PM, Jason A. Donenfeld <Jason@...c4.com> wrote:
> On Tue, Jun 2, 2015 at 3:35 AM, Greg Kroah-Hartman
> <gregkh@...uxfoundation.org> wrote:
>> I don't know, but I'm a bit loath to delete the driver from the tree as
>> then people will just continue to use the version with all of the bugs.
>
> Yea, I understand that. Though, I'm pretty sure that most users of
> ozwpan use old forks tied to old kernels, and do not use upstream
> anyway.
>
>> If Atmel doesn't want to maintain the code anymore, do you want to do
>> it?  You can always send patches for this issue, as you seem to have the
>> hardware and can do testing, which I can't.
>
> Thank you for the offer, and I would actually love to maintain a part
> of the kernel. But I am likely the wrong man for ozwpan (inspite of
> the Internet's claims of my wizardry [1]). The debugging I've done
> thus far is on a readily available consumer embedded device, which I
> was required to root and unsandbox and partake in other "security dark
> magic" in order to get a decent debugging interface. My rig is rather
> brittle and is likely to fall to pieces like aging solder at any
> moment. I'd recommend this be maintained by someone with proper test
> hardware and a suit of unit tests. This means: Atmel, or one of the
> many clients to whom Atmel has sold high volumes of ozwpan chips. I'll
> reach out where I can to see if I can find someone in a good position
> to maintain it.
>
> [1] https://twitter.com/drgfragkos/status/598776229282578432
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ