Date: Mon, 18 Dec 2000 19:02:10 -0800 From: Kris Kennaway <kris@FreeBSD.ORG> To: Esa Etelavuori <eetelavu@cc.hut.fi> Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs Message-ID: <20001218190210.E2629@citusc.usc.edu> In-Reply-To: <20001219034205.A29042@ksylofoni.hut.fi>; from eetelavu@cc.hut.fi on Tue, Dec 19, 2000 at 03:42:05AM %2B0200 References: <20001218153619.071BE37B400@hub.freebsd.org> <20001219034205.A29042@ksylofoni.hut.fi>
next in thread | previous in thread | raw e-mail | index | archive | help
--JBi0ZxuS5uaEhkUZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 19, 2000 at 03:42:05AM +0200, Esa Etelavuori wrote: > Looks fine but the story is quite unfortunate. I heard afterwards > from Frank van Vliet that they notified security-officer@freebsd.org about > procfs/mem problems on October 25. I mailed the FreeBSD team about the=20 > procfs/status buffer overflow on October 27. I have already explained the reasons for the delays in releasing the advisory, but let me go over some of them again: * procfs does not have an active maintainer in FreeBSD, meaning it was difficult to find reviewers for some of the patches, especially because of significant API changes between the various branches. From our point of view this was a very difficult problem to get fixed. * As far as I can tell the ctl problem was only pointed out to us after we'd fixed all of the other ones and were ready to release - this was just after the release of 4.2. It triggered off another cycle of trying to get patches written and reviewed which was longer for the reason below. * We're busy people, and most of the people who were trying to get the fixes written and in place have been travelling or otherwise busy with work. Don't forget that we're volunteers..we appreciate the work of people such as yourself in discovering and responsibly reporting this kind of bugs, but please realise that sometimes they cannot be fixed in internet time due to fundamental laws of physics and economics :-) * We could have committed an obvious patch right away, but chances are it would have been wrong, and in fact I believe at least one of the patches submitted to us which claimed to fix a problem here did not. Much better to take a few extra days and get it right. > Afterwards it seems like a mistake to wait for over 7 weeks when partial > fixes had been on the public CVS for most of the time. Now I wonder how > many of "bad guys" actually scan for those changes, apparently one could = get > atleast several days advantage with many open source projects. Yes, this is the case. It's a conscious decision to get the fix in as soon as possible so people who update regualrly have access to it, instead of delaying the committing of the patches until the advisory is ready, which may be a month or more where ALL FreeBSD users are vulnerable to a serious problem. > CVS changes/notes can be very revealing for automated scanners, and > there probably has been other silent "minor" fixes in addition to > netgraph(3) loading kernel modules regardless of the securelevel on <4.1 > (pointed to me by Pascal Bouchareine). When this was raised to us it was determined not to be a security vulnerability, I believe. It's too long ago for me to remember the precise details. It's certainly not a policy decision to ignore security vulnerabilities, and I think our track record in this regard is better than that of many other vendors. Sometimes they have to be prioritised and queued however, and sometimes they slip through the cracks because we're not made aware of them or whatever. Kris --JBi0ZxuS5uaEhkUZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6Ps+yWry0BWjoQKURAq3FAKDpzxSqEUMcYaA1Dt2akrUyxEcWRACg0NBz fo4QSdhfRRwr2GIkFYbBtPE= =XQ4s -----END PGP SIGNATURE----- --JBi0ZxuS5uaEhkUZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001218190210.E2629>