Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 Mar 2003 11:02:22 -0600
From:      D J Hawkey Jr <hawkeyd@visi.com>
To:        "Jacques A. Vidrine" <nectar@FreeBSD.ORG>
Cc:        twig les <twigles@yahoo.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: another TCPDump update question (going slightly off-topic)
Message-ID:  <20030324110222.A8625@sheol.localdomain>
In-Reply-To: <20030324160020.GA1911@madman.celabo.org>; from nectar@FreeBSD.ORG on Mon, Mar 24, 2003 at 10:00:20AM -0600
References:  <20030311231326.82217.qmail@web10107.mail.yahoo.com> <20030324151410.GE94153@madman.celabo.org> <20030324093021.A8296@sheol.localdomain> <20030324160020.GA1911@madman.celabo.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mar 24, at 10:00 AM, Jacques A. Vidrine wrote:
> 
> On Mon, Mar 24, 2003 at 09:30:21AM -0600, D J Hawkey Jr wrote:
> > On Mar 24, at 09:14 AM, Jacques A. Vidrine wrote:
> > > You didn't miss anything.  There won't be a security advisory for this
> > > issue.
> > 
> > No?
> > 
> > Without insulting anyone, may I ask why not? tcpdump is included in the
> > base/standard OS, afterall, and so is libpcap, which appears to be related.
> > 
> > IIRC, there have been SAs for DOS vulnerabilities before. What or where
> > is the line for what is or is not eligible for a SA?
> 
> Well, there are no hard-n-fast rules.  It's a judgement call.  We
> generally limit SAs to those issues that we deem `important', so as
> not to devalue them.  (c.f. The Boy Who Cried Wolf)

I can appreciate this, yes. Might it not be worth a SN, though?

> You're right: there have been SAs for remote DoSs before.  In this
> case, both the cirumstances that could lead to this remote DoS, and
> especially the impact of the bug are so minimal as to not be worth
> updating your system.

I'll defer to your judgement on this; I don't know how easy this hole
is to exploit. But if you'll indulge me, I'm thinking of a larger picture
that this might illustrate:

www.tcpdump.org shows a new libpcap "to go with" the updated tcpdump.
They don't say a vulnerability was in libpcap, but if so, a quick scan
of userland shows that pppd is linked to libpcap. By inference, I would
think kernel-mode PPP falls in line with this, too. Now, there's a
rather big "if" here, but if true, would this then qualify as worthy
of a SA? As an aside, isn't BPF also tied to libpcap?

I guess what my bigger concern is, is how much should a diligent SysAdmin
have to scan external entities to be up on vulnerabilities of utilities
that are part of the base/standard OS? My gut feeling is, "None, The
Project should inform the user base.", but that may be too high a bar
for what is esentially a for-free product. If my feeling is wrong, then
I have to wonder if these utilities that are not "truly BSD" shouldn't
be in the ports collection, and removed from the base?

Having said all this, I do in fact applaud you and your team for what
you do provide, considering it's all done gratis.

> Cheers,
> Jacques A. Vidrine <nectar@celabo.org>          http://www.celabo.org/

Thanks for listening,
Dave

-- 
  ______________________                         ______________________
  \__________________   \    D. J. HAWKEY JR.   /   __________________/
     \________________/\     hawkeyd@visi.com    /\________________/
                      http://www.visi.com/~hawkeyd/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030324110222.A8625>