Date: Wed, 5 Feb 1997 14:36:11 -0600 (CST) From: Karl Denninger <karl@Mcs.Net> To: gibbs@narnia.plutotech.com (Justin T. Gibbs) Cc: karl@Mcs.Net, jgreco@solaria.sol.net, Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE Message-ID: <199702052036.OAA12786@Jupiter.Mcs.Net> In-Reply-To: <199702052028.MAA00483@narnia.plutotech.com> from "Justin T. Gibbs" at Feb 5, 97 12:28:11 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> >The FIX is the go through setlocale() and fix the holes in the code! > >Nothing else is adequate, and every other path is a LOT more work. > > Every method for fixing this, and numerous other potential problems with > 2.1.6, 2.2, and 3.0 requires study, and after acceptance, careful coding, > a review process, and documentation. To do otherwise is to open us to a > recurring cycle of security whole/quick fix/security whole/quick fix. Core > has already determined a course of action on these issues and a statement > regarding the entire issue will be released once it has passed final review. I was told that this release would be posted LAST NIGHT. Its 15 hours beyond "last night". No information has been posted. Why? I've now provided a patch. Either commit it or get off the pot. > This will only serve to confuse our userbase about what the exact problem > is, which releases and binaries are affected, and how to address the problem > completly. During Core's investigation of this problem, much more information > then you provided has surfaced all of which will be communicated in our > announcement. That's false. The setlocale() problem is fixable with a patch to setlocale(). > >2.2 is ALSO affected. That's being IGNORED right now. > > Not true. Simply because you are not privy to the discussions about this > issue does not mean that we are ignoring anything. Our announcement will > have information on *all* versions of FreeBSD that have this problem. Keeping the discussion private (ie: "not privvy") means you believe there's something to hide. I disagree. Either discourse in public or it doesn't count in my book. Again, the talkd bug handling is what got me going on this generic issue with FreeBSD. Now we have a much more serious one. > Your attitude has not been one of, "Here is the problem, how can I direct > the resources at my disposal to help the project correct it." Instead, > you have pronounced yourself the "unsung hero" of security that will create > a solution of your own liking and publish whatever (dis)information you > see fit. As I mentioned before, this only adds to the confusion. Bullshit. I have now published a patch which corrects the problem in setlocale(). > If you have the resources to contribute to fixing this problem, all you need > to do is promise to cooperate in a controlled effort and we'll happily accept > your help. Right now, you look like a loaded gun with the safety off and we > cannot afford that kind of instability while we work to handle this delicate > situation. CORE created the loaded gun by mishandling the talkd problem. You further exacerbated it with this mess. Now you have a patch in hand. > >My fealty isn't to the core team. Its to the people out there who run the > >code, and to those who I've recommended use the software in question. > > Then quit confusing them with your comments and wait for our pending security > announcement which will have all of the facts straight and give proper > guidlines for securing an affected system. In a pig's eye. THAT goal could have been accomplished within hours. I waited for the promised announcement last night. It never came. Now I've coded a patch to fix the problem. Its been posted, and I'm verifying it. If it passes my inspection I want it committed, or a damn good reason why it won't be. NOW. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702052036.OAA12786>