Date: Wed, 05 Feb 1997 12:28:11 -0800 From: "Justin T. Gibbs" <gibbs@narnia.plutotech.com> To: Karl Denninger <karl@Mcs.Net> Cc: jgreco@solaria.sol.net (Joe Greco), Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE Message-ID: <199702052028.MAA00483@narnia.plutotech.com> In-Reply-To: Your message of "Wed, 05 Feb 1997 12:46:16 CST." <199702051846.MAA08211@Jupiter.Mcs.Net>
next in thread | previous in thread | raw e-mail | index | archive | help
>I AM PART OF THE SOLUTION. Your name isn't listed in reference to any of the action items for addressing this issue (unless you count the one about PR control), so I fail to see how this could be true. Core was informed of the security issues regarding the 2.1.6 release and other security issues related to 2.2 and 3.0 at approximately the same time that you had your blow up and the actions we are taking now are exactly the same as we would have taken regardless. You may think that you've "kicked our buts into action", but the pride we have in the project did that long before we were blessed with your spittle. >Look. I've submitted prs before which have been flamed because they weren't >"stylized" the way people wanted them, or were just ignored until some time >later -- even when SEVERE and SECURITY have shown up in them. > >Frankly, I'm tired of tilting at windmills. If the speed of development or reaction time of a free project like FreeBSD does not suite your needs, then don't use it. >The FIX is the go through setlocale() and fix the holes in the code! >Nothing else is adequate, and every other path is a LOT more work. Every method for fixing this, and numerous other potential problems with 2.1.6, 2.2, and 3.0 requires study, and after acceptance, careful coding, a review process, and documentation. To do otherwise is to open us to a recurring cycle of security whole/quick fix/security whole/quick fix. Core has already determined a course of action on these issues and a statement regarding the entire issue will be released once it has passed final review. >And yes, I WILL submit a pr on this as soon as I can find a few hours to >do the fix, verify it, and make world to test. At the same time I post >it to the committers I'll post it publically, and 24 hours later I post >the exploit which takes advantage of the problem. > >That's as far as I'll go. This will only serve to confuse our userbase about what the exact problem is, which releases and binaries are affected, and how to address the problem completly. During Core's investigation of this problem, much more information then you provided has surfaced all of which will be communicated in our announcement. >Frankly, until then setlocale() ought to have a "return()" right after its >invocation -- noop the entire routine out until then. Its THAT bad. This does not completely address the security issue and would only give some users undue self assurance that they are safe from further breakins. >2.2 is ALSO affected. That's being IGNORED right now. Not true. Simply because you are not privy to the discussions about this issue does not mean that we are ignoring anything. Our announcement will have information on *all* versions of FreeBSD that have this problem. >What makes you think we're not doing that. Your attitude has not been one of, "Here is the problem, how can I direct the resources at my disposal to help the project correct it." Instead, you have pronounced yourself the "unsung hero" of security that will create a solution of your own liking and publish whatever (dis)information you see fit. As I mentioned before, this only adds to the confusion. >I don't have commit access, and won't wait long for those who do to play >with this. If I had it you'd have already seen the commit; I would have >stayed up all night last night to code a REAL fix. Several Core members did stay up all last night working on this problem. >As it is I won't stay up all night, because I have NO IDEA how long it will >take for that to be of benefit -- or if it EVER will be. That's a problem. If you have the resources to contribute to fixing this problem, all you need to do is promise to cooperate in a controlled effort and we'll happily accept your help. Right now, you look like a loaded gun with the safety off and we cannot afford that kind of instability while we work to handle this delicate situation. >I don't CARE if you think I have credibility or not. I'm getting email by >the BOATLOAD in support of my stance on this issue, from others who are >affected and who are mad as hell at the way these issues have been handled >in the past and present. Then they have the same misconception; that flying off the handle made any difference in how this issue was and is being handled. It didn't. >My fealty isn't to the core team. Its to the people out there who run the >code, and to those who I've recommended use the software in question. Then quit confusing them with your comments and wait for our pending security announcement which will have all of the facts straight and give proper guidlines for securing an affected system. >-- >Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity >http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service > | 99 Analog numbers, 77 ISDN, Web servers $75/mo >Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net >/ >Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Interna >l -- Justin T. Gibbs =========================================== FreeBSD: Turning PCs into workstations ===========================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702052028.MAA00483>