Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] Linux's unofficial security-through-coverup policy

From: Brad Spengler (spendergrsecurity.net)
Date: Wed Jul 16 2008 - 08:44:37 CDT

Hi all,

I doubt many of you are following the "discussions" (if they can be
called that) that have been going on on LWN for the past couple weeks
regarding security fixes being intentionally covered up by the Linux
kernel developers and -stable maintainers. Here are some references:


The Linux kernel has a formal policy in Documentation/SecurityBugs which
states under Section 2 Disclosure:
"We prefer to fully disclose the bug as soon as possible."

However, their policy in reality is quite different, as you can see for
yourself in the "discussion" going on now on LKML:


Some choice quotes from Linus that reflect how sad the current state is:
(on commenting about what he would allow to be included in a commit
"I literally draw the line at anything that is simply greppable for. If
it's not a very public security issue already, I don't want a simple
"git log + grep" to help find it."

(when talking about the security backports Linux vendors provide for
"And they mostly do a crap job at it, only focusing on a small
percentage (the ones that were considered to be "big issues")"

They seem to have the impression that people who find an exploit kernel
vulnerabilities rely on the commit messages fixing the vulnerability
including some mention of security. As it should be clear to anyone
actually involved in the security community, or anyone who has ever
written an exploit (particularly for the myriad silently fixed
vulnerabilities in Linux), this is far from reality. The people who
*do* rely on these messages and announcements however are the smaller
distributions and individual users. Yet Linus et al believe they're
helping you by pulling the wool over your eyes regarding the exploitable
vulnerabilities in their OS.

To illustrate the point, in the kernel, the following fix was
included with the commit message of:
Roland McGrath (1):
      x86_64 ptrace: fix sys32_ptrace task_struct leak

The kernel was released with no mention of security vulnerabilities in
the announcement, only "assorted bugfixes".

Put simply, it only took about an hour or so to develop a PoC for this
exploitable vulnerability which affects 64bit x86_64 kernels since
January. So since the time of the fix itself (or even before that if
someone spotted it before the kernel developers did themselves) users
have been at risk. Yet in the imaginary world they live in, these
kernel developers think they're protecting you from that risk by not
telling you what you're vulnerable to.

Please let them know what you think of their policy of non-disclosure
and coverups. I hope someone also educates them on their ridiculous
notion of "untrusted local users" like Greg uses in his announcement of
the kernel:

If you remain complacent about the state of affairs, you're only
enabling them to continue their current misguided foolishness.


Version: GnuPG v1.4.6 (GNU/Linux)


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/