|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Aaron (apconole
yahoo.com)
Date: Fri Aug 07 2009 - 12:41:09 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> except we don't live in a black and white world. 'security bug' or heck,
> just 'bug' is not a binary property, there're many shades of grey in what
> exactly the bug accomplishes. it's clearly not enough to state that 'this
> commit fixes something but i did not want to bother to understand what',
> users of said commits need more information than that. fortunately not all
> developers share linus' mindset although their efforts are sometimes in
> vain when what he commits intentionally omits security relevant information.
Excuse me, but no one commits fixes without understanding what they've fixed.
If someone fixes a segfault/oops they might not have done the investigation to
determine whether or not something is theoretically or practically usable for something
nefarious, but they understand that there was a null pointer dereference, or an invalid
lock condition and they removed that problem.
The 'shades of grey' only exist to security people. To no one else is it important
that a bug disclose information, allow invalid root access, or escalate privileges.
So the point still stands, why burden the average kernel developer/debugger to do
security research work for the security researcher?
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]