Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Jan 2003 11:58:40 -0800 (PST)
From:      Mike Hoskins <mike@adept.org>
To:        security@freebsd.org
Subject:   Re: Vulnerability Note VU#412115
Message-ID:  <20030121114921.I9619-100000@fubar.adept.org>
In-Reply-To: <3E2D3E68.3070208@borderware.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 21 Jan 2003, David Bell wrote:
> It may be quite small, however image wise it is not good IMHO that
> FreeBSD is not doing anything to respond to this, or at least  have some
> sort of official statement.

I can see both sides.  It's not great for image, but in fairness all free
OS' have the same image right now.  In that vein, I believe it's because
all opensource projects are strapped for time...  And things which would
be "nice to have" often get a lower pirority than things that are broken
and keeping the next release from happening.

> You say many device drivers display this behavior, can you be more
> specific? Or tell me which ones do not display the behavior?

I think that's the point...  Right now, noone really knows.  You'd have to
inspect the source wrt the RFC, find the improper padding, and offer
patches where you could (opensource drivers).  As Mr Clark indicated, the
effort would be obscured by binary drivers...  At that point you'd be
forced to solicit each and every commercial vendor and log their official
responses.  (If you get one.)  So you'd end up with an announcement to
CERT that still resembled an "unknown" status...  Because you'd have a
list of drivers, some of which would almost certainly be vulnerable and
some of which may not.

Of course I'm not saying I wouldn't like to see this (and every other
issue) addressed.  It's just a rather large task, and I think it would
need a sort of coordinator.  (Especially when it comes to soliciting and
collecting responses from vendors.)

Perhaps someone closer to the project could at least offer/collect a list
of drivers, and which ones rely on some binary.  Then we could begin
trying to fix what we can.  Of course all of the BSD's (maybe other OS'
too) would benefit.

--
Mike Hoskins		This message is RFC 1855 compliant,
mike@adept.org		www.adept.org/pub/rfcs/rfc1855.html


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030121114921.I9619-100000>