From owner-freebsd-security Tue Jan 21 11:59: 6 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3105637B401 for ; Tue, 21 Jan 2003 11:59:04 -0800 (PST) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDA9543F1E for ; Tue, 21 Jan 2003 11:59:03 -0800 (PST) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id E81AB15315; Tue, 21 Jan 2003 11:58:40 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id E5CBC15213 for ; Tue, 21 Jan 2003 11:58:40 -0800 (PST) Date: Tue, 21 Jan 2003 11:58:40 -0800 (PST) From: Mike Hoskins To: security@freebsd.org Subject: Re: Vulnerability Note VU#412115 In-Reply-To: <3E2D3E68.3070208@borderware.com> Message-ID: <20030121114921.I9619-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 21 Jan 2003, David Bell wrote: > It may be quite small, however image wise it is not good IMHO that > FreeBSD is not doing anything to respond to this, or at least have some > sort of official statement. I can see both sides. It's not great for image, but in fairness all free OS' have the same image right now. In that vein, I believe it's because all opensource projects are strapped for time... And things which would be "nice to have" often get a lower pirority than things that are broken and keeping the next release from happening. > You say many device drivers display this behavior, can you be more > specific? Or tell me which ones do not display the behavior? I think that's the point... Right now, noone really knows. You'd have to inspect the source wrt the RFC, find the improper padding, and offer patches where you could (opensource drivers). As Mr Clark indicated, the effort would be obscured by binary drivers... At that point you'd be forced to solicit each and every commercial vendor and log their official responses. (If you get one.) So you'd end up with an announcement to CERT that still resembled an "unknown" status... Because you'd have a list of drivers, some of which would almost certainly be vulnerable and some of which may not. Of course I'm not saying I wouldn't like to see this (and every other issue) addressed. It's just a rather large task, and I think it would need a sort of coordinator. (Especially when it comes to soliciting and collecting responses from vendors.) Perhaps someone closer to the project could at least offer/collect a list of drivers, and which ones rely on some binary. Then we could begin trying to fix what we can. Of course all of the BSD's (maybe other OS' too) would benefit. -- Mike Hoskins This message is RFC 1855 compliant, mike@adept.org www.adept.org/pub/rfcs/rfc1855.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message