Mailing List Archive

On Saturday 08 January 2005 12:21 am, Miguel Filipe wrote:
> Its kind of strange that this kind of information pops up on slashdot
> but doesn't appear in the gentoo-security ML.

http://bugs.gentoo.org/show_bug.cgi?id=77025

we dont feel the need to file a bug *and* talk about it on the mailing list,
that's just stupid :P
-mike

--
gentoo-security@gentoo.org mailing list

On Sat, 08 Jan 2005 00:26:19 -0500, Mike Frysinger wrote:

> http://bugs.gentoo.org/show_bug.cgi?id=77025
>
> we dont feel the need to file a bug *and* talk about it on the mailing list,

So, in order to be informed about security issues as they pertain to
Gentoo, it's not enough to monitor the Gentoo Security list?

> that's just stupid :P

I agree!

--
Lenroc


--
gentoo-security@gentoo.org mailing list

On Fri, 07 Jan 2005 22:37:21 -0700, Lenroc wrote:

> So, in order to be informed about security issues as they pertain to
> Gentoo, it's not enough to monitor the Gentoo Security list?

Sorry, I didn't make it clear enough that this was humor.

Before anyone takes it the wrong way, I thought I'd clear that up.

--
Lenroc


--
gentoo-security@gentoo.org mailing list

On Saturday 08 January 2005 12:37 am, Lenroc wrote:
> So, in order to be informed about security issues as they pertain to
> Gentoo, it's not enough to monitor the Gentoo Security list?

sign up for a bugzilla account and add 'security@gentoo.org' to your watch
list

a ton of other people already do
-mike

--
gentoo-security@gentoo.org mailing list

On Saturday 08 January 2005 12:49 am, Lenroc wrote:
> Sorry, I didn't make it clear enough that this was humor.
>
> Before anyone takes it the wrong way, I thought I'd clear that up.

sarcastic humor ;)

my first reply was harsh only because original poster came off sounding like
an ass
-mike

--
gentoo-security@gentoo.org mailing list

Good point, but I'd have to say that it defeats the purpose of having this
list. This exploit was particularily dangerous, especially for people who
use linux (gentoo and other distros) as a platform to provide webhosting
and shell accounts.

I think this sort of *emergency* security notification should go out on
the list ASAP.

kris

On Sat, 8 Jan 2005, Mike Frysinger wrote:

> On Saturday 08 January 2005 12:37 am, Lenroc wrote:
>> So, in order to be informed about security issues as they pertain to
>> Gentoo, it's not enough to monitor the Gentoo Security list?
>
> sign up for a bugzilla account and add 'security@gentoo.org' to your watch
> list
>
> a ton of other people already do
> -mike
>
> --
> gentoo-security@gentoo.org mailing list
>

--
gentoo-security@gentoo.org mailing list

I don't mean to be abrasive or anything, but isn't that what the community
is for? We all work together and as one discovers a security threat they
(as you have done) post it to the list (whether they found it on slashdot,
google, securityfocus, etc), and there it is.

There is the aforementioned bugs watch list, but I don't know how to
enable that (have logged in, but don't see a watch feature), although I
haven't looked more than a couple minutes into it.

Just my 2 cents, am I off base here?

> Good point, but I'd have to say that it defeats the purpose of having this
> list. This exploit was particularily dangerous, especially for people who
> use linux (gentoo and other distros) as a platform to provide webhosting
> and shell accounts.
>
> I think this sort of *emergency* security notification should go out on
> the list ASAP.
>
> kris
>
> On Sat, 8 Jan 2005, Mike Frysinger wrote:
>
>> On Saturday 08 January 2005 12:37 am, Lenroc wrote:
>>> So, in order to be informed about security issues as they pertain to
>>> Gentoo, it's not enough to monitor the Gentoo Security list?
>>
>> sign up for a bugzilla account and add 'security@gentoo.org' to your
>> watch
>> list
>>
>> a ton of other people already do
>> -mike
>>
>> --
>> gentoo-security@gentoo.org mailing list
>>
>
> --
> gentoo-security@gentoo.org mailing list
>
>



--
gentoo-security@gentoo.org mailing list

On Saturday 08 January 2005 01:33 am, Joey McCoy wrote:
> I don't mean to be abrasive or anything, but isn't that what the community
> is for? We all work together and as one discovers a security threat they
> (as you have done) post it to the list (whether they found it on slashdot,
> google, securityfocus, etc), and there it is.

thats fine, but acting like an ass doesnt mean you'll get a warm reception

if you guys want to know about linux vulns, you'd probably be interested in
the other 5 announced by grsec
http://bugs.gentoo.org/show_bug.cgi?id=77094
-mike

--
gentoo-security@gentoo.org mailing list

Sorry. I think I was coming off as too abrassive. That's actually a very
good point.

kris

On Sat, 8 Jan 2005, Joey McCoy wrote:

> I don't mean to be abrasive or anything, but isn't that what the community
> is for? We all work together and as one discovers a security threat they
> (as you have done) post it to the list (whether they found it on slashdot,
> google, securityfocus, etc), and there it is.
>
> There is the aforementioned bugs watch list, but I don't know how to
> enable that (have logged in, but don't see a watch feature), although I
> haven't looked more than a couple minutes into it.
>
> Just my 2 cents, am I off base here?
>
>> Good point, but I'd have to say that it defeats the purpose of having this
>> list. This exploit was particularily dangerous, especially for people who
>> use linux (gentoo and other distros) as a platform to provide webhosting
>> and shell accounts.
>>
>> I think this sort of *emergency* security notification should go out on
>> the list ASAP.
>>
>> kris
>>
>> On Sat, 8 Jan 2005, Mike Frysinger wrote:
>>
>>> On Saturday 08 January 2005 12:37 am, Lenroc wrote:
>>>> So, in order to be informed about security issues as they pertain to
>>>> Gentoo, it's not enough to monitor the Gentoo Security list?
>>>
>>> sign up for a bugzilla account and add 'security@gentoo.org' to your
>>> watch
>>> list
>>>
>>> a ton of other people already do
>>> -mike
>>>
>>> --
>>> gentoo-security@gentoo.org mailing list
>>>
>>
>> --
>> gentoo-security@gentoo.org mailing list
>>
>>
>
>
>
> --
> gentoo-security@gentoo.org mailing list
>
>

--
gentoo-security@gentoo.org mailing list

On Sat, 8 Jan 2005 01:41:52 -0500, Mike Frysinger <vapier@gentoo.org> wrote:
> if you guys want to know about linux vulns, you'd probably be interested in
> the other 5 announced by grsec
> http://bugs.gentoo.org/show_bug.cgi?id=77094

Relax, these are not serious bugs. (They should have been prevented,
that's a larger problem):
<http://www.ussg.iu.edu/hypermail/linux/kernel/0501.0/1997.html>

--
"May the source be with you"

--
gentoo-security@gentoo.org mailing list

Joey McCoy wrote:

> I don't mean to be abrasive or anything, but isn't that what the community
> is for? We all work together and as one discovers a security threat they
> (as you have done) post it to the list (whether they found it on slashdot,
> google, securityfocus, etc), and there it is.

Make our job easier, search for duplicates and if there aren't, file a
new security bug in Bugzilla. Procedure is all very detailed at
http://security.gentoo.org. We just can't follow all MLs and forums and
we also don't have much time to enter new bugs. That's where the
community can help.

> There is the aforementioned bugs watch list, but I don't know how to
> enable that (have logged in, but don't see a watch feature), although I
> haven't looked more than a couple minutes into it.
>
> Just my 2 cents, am I off base here?

As a Gentoo user, you either follow the GLSAs (gentoo-announce) or if
you find those not enough "reactive" you can subscribe to Bugzilla and
follow all our vuln-whacking progress by watching security@gentoo.org.

Once logged in, Prefs/Email settings (or directly
http://bugs.gentoo.org/userprefs.cgi?tab=email) and enter
security@gentoo.org in "Users to watch".

--
Koon
Operational Manager, Gentoo Linux Security

--
gentoo-security@gentoo.org mailing list

> On Saturday 08 January 2005 12:21 am, Miguel Filipe wrote:
>> Its kind of strange that this kind of information pops up on slashdot
but doesn't appear in the gentoo-security ML.
> http://bugs.gentoo.org/show_bug.cgi?id=77025
> we dont feel the need to file a bug *and* talk about it on the mailing
list,
> that's just stupid :P
I don't think that. a local root exploit is something bad for sysadmins.
and sysadmins have more things to do that just watch every bug in
bugs.gentoo.org looking for root exploits or some other security flaws.
I think that the gentoo-security ML should "notify" us about this
problems.


Greetings,
Carlos Silva







--
gentoo-security@gentoo.org mailing list

> Joey McCoy wrote:
>
>> I don't mean to be abrasive or anything, but isn't that what the
>> community
>> is for? We all work together and as one discovers a security threat
>> they
>> (as you have done) post it to the list (whether they found it on
>> slashdot,
>> google, securityfocus, etc), and there it is.
>
> Make our job easier, search for duplicates and if there aren't, file a
> new security bug in Bugzilla. Procedure is all very detailed at
> http://security.gentoo.org. We just can't follow all MLs and forums and
> we also don't have much time to enter new bugs. That's where the
> community can help.
>
>> There is the aforementioned bugs watch list, but I don't know how to
>> enable that (have logged in, but don't see a watch feature), although
>> I
>> haven't looked more than a couple minutes into it.
>>
>> Just my 2 cents, am I off base here?
>
> As a Gentoo user, you either follow the GLSAs (gentoo-announce) or if
> you find those not enough "reactive" you can subscribe to Bugzilla and
> follow all our vuln-whacking progress by watching security@gentoo.org.
>
I agree with this. I think that sould be some separation of things.
There are security vulnerabilities thar aren't "serious" and others that
are critical. I think that all we want is to have the critical ones
(like root exploits) announced here so we can be notified faster.


--
gentoo-security@gentoo.org mailing list

Anyway the exploit does not work for me.
Tested against:
- 2.6.5-gentoo-r1
- 2.4.24-openmosix-r1
- 2.4.26-gentoo-r13
- 2.6.9-gentoo-r9

And it does not even compile against:
- 2.6.9-gentoo-r13, linux26-headers-2.6.8.1-r2, i686-pc-linux-gnu-3.3.4

gcc -O2 -fomit-frame-pointer elflbl.c -o elflbl
elflbl.c: In function `scan_mm_start':
elflbl.c:426: error: storage size of `l' isn't known
elflbl.c:426: error: storage size of `l' isn't known
elflbl.c: In function `check_vma_flags':
elflbl.c:545: warning: deprecated use of label at end of compound statement

--
gentoo-security@gentoo.org mailing list

LoL, I came "sounding like an ass" ?
Why is that?
Because I talked about a LOCAL ROOT EXPLOIT ..that isn't mentioned in
the GENTOO SECURITY ML because its in the bugs repository?
So basically this list is good for flames about the portage system
(in)security but not good for informing gentoo users about a local
root exploit.. very nice!

I don't have your time, I subscribe to a security ML so I can be
informed about security issues..
If issues like a LOCAL ROOT EXPLOIT aren't mentioned here, WHY THE
HELL does this ML exist?

So, gentoo security ML is just for gentoo exclusive security issues
(aka portage system related issues)?
Or is it also for security issues that affects gentoo systems, like a
LOCAL ROOT exploit?

Taken from the gentoo website:
url: http://www.gentoo.org/main/en/lists.xml
"gentoo-security For the discussion of security issues and fixes"

I have no problems with following bugs.gentoo.org/security@gentoo.org
IF I KNEW that thats the place for security information... instead of
.. a... gentoo _security_ MAILING LIST.
Where is explained that those who want to follow security issues that
may affect thier systems should track bugs.gentoo.org ?


On Sat, 8 Jan 2005 01:05:12 -0500, Mike Frysinger <vapier@gentoo.org> wrote:
> On Saturday 08 January 2005 12:49 am, Lenroc wrote:
> > Sorry, I didn't make it clear enough that this was humor.
> >
> > Before anyone takes it the wrong way, I thought I'd clear that up.
>
> sarcastic humor ;)
>
> my first reply was harsh only because original poster came off sounding like
> an ass
> -mike
>


--
Miguel Sousa Filipe

--
gentoo-security@gentoo.org mailing list

On Saturday 08 January 2005 16:29, Miguel Filipe wrote:
> LoL, I came "sounding like an ass" ?
> Why is that?

It's because Mike likes to insult others. It's his problem, not yours.


Carsten

On Sat, 2005-01-08 at 10:36 +0000, Carlos Silva wrote:
> > Joey McCoy wrote:
> >
> >> I don't mean to be abrasive or anything, but isn't that what the
> >> community
> >> is for? We all work together and as one discovers a security threat
> >> they
> >> (as you have done) post it to the list (whether they found it on
> >> slashdot,
> >> google, securityfocus, etc), and there it is.
> >
> > Make our job easier, search for duplicates and if there aren't, file a
> > new security bug in Bugzilla. Procedure is all very detailed at
> > http://security.gentoo.org. We just can't follow all MLs and forums and
> > we also don't have much time to enter new bugs. That's where the
> > community can help.
> >
> >> There is the aforementioned bugs watch list, but I don't know how to
> >> enable that (have logged in, but don't see a watch feature), although
> >> I
> >> haven't looked more than a couple minutes into it.
> >>
> >> Just my 2 cents, am I off base here?
> >
> > As a Gentoo user, you either follow the GLSAs (gentoo-announce) or if
> > you find those not enough "reactive" you can subscribe to Bugzilla and
> > follow all our vuln-whacking progress by watching security@gentoo.org.
> >
> I agree with this. I think that sould be some separation of things.
> There are security vulnerabilities thar aren't "serious" and others that
> are critical. I think that all we want is to have the critical ones
> (like root exploits) announced here so we can be notified faster.

I agree,
even if this one was hard to miss as it made headlines in slashdot
(amongst other places)
I would have thought that the gentoo-security list, was *the* place to
report such things (even if the report only points to other sources of
information or bugs.gentoo.org)


--
gentoo-security@gentoo.org mailing list

Miguel Filipe writes:

> I came "sounding like an ass"? Why is that?

Because you criticized the Gentoo project. It works like
this: You bring up a security problem. In the replies you
get, though, your actual point is flat out dismissed or
never addressed at all. Instead, you and your behavior will
be discussed in a very provoking manner. Once you have been
thoroughly annoyed and insulted, you become defensive and
lose focus of what you were trying to say in the first
place! Thus, the discussion drifts away from the security
problem.


> Because I talked about a LOCAL ROOT EXPLOIT ..that isn't
> mentioned in the GENTOO SECURITY ML because its in the
> bugs repository?

The advantage of dealing with security problems _only_ in
the bug tracking system is that practically nobody follows
the bug tracking system -- whereas lots of people read the
mailing list. Thus, there is less transparency, which means
more freedom for the Gentoo core team to deal with security
problems in a way that doesn't interfere with internal
politics (read: egos).


> If issues like a LOCAL ROOT EXPLOIT aren't mentioned
> here, WHY THE HELL does this ML exist?

As it happens, I have a concrete proposal how to make this
list more useful! How about having the bug tracking system
forward all new security-related entries to this mailing
list automatically? This policy would (a) increase
transparency and (b) help finding volunteers from the
community who care enough about a problem to be willing to
dedicate time to fixing it. Thus: less work for the Gentoo
core team, more security for everybody.


> Where is explained that those who want to follow security
> issues that may affect thier systems should track
> bugs.gentoo.org?

I'd very much like to see an answer to this question. The
page <http://security.gentoo.org/> doesn't seem to say
anything about.

Peter


--
gentoo-security@gentoo.org mailing list

On 00:55 Sat 08 Jan , Mike Frysinger wrote:
> On Saturday 08 January 2005 12:37 am, Lenroc wrote:
> > So, in order to be informed about security issues as they pertain to
> > Gentoo, it's not enough to monitor the Gentoo Security list?
>
> sign up for a bugzilla account and add 'security@gentoo.org' to your watch
> list
>
> a ton of other people already do
> -mike

This is suboptimal at best. There are tons of pure shit posted in
bugzilla, I know this since I actually tried. If you don't like
spending time sifting through everything related to security in
bugzilla when looking for fresh security bugs, I advice against
this.

Interesting to note is that as soon as anyone know of a new bug and
post about it here they are treated like idiots. This I also know
from personal experience.
See http://thread.gmane.org/gmane.linux.gentoo.security/598.

This mailing list really seem to be more about flaming than anything
else looking at the latest long threads.

So clearly a lot of people here doesn't want to know about possible
security issues in a timely manner. Also, unless you are really good
at communicating your exact intentions in so perfect english that no
possible ambiguities may arise, please refrain from posting if you
don't want to be called an ass.

Everytime I notice new mail in this folder I realize I forgot to
unsubscribe.. I think I just might take time to do it right now.

/ D


--
gentoo-security@gentoo.org mailing list

Peter Simons wrote:
> Miguel Filipe writes:
>
> > I came "sounding like an ass"? Why is that?
>
> Because you criticized the Gentoo project. It works like
> this: You bring up a security problem. In the replies you
> get, though, your actual point is flat out dismissed or
> never addressed at all. Instead, you and your behavior will
> be discussed in a very provoking manner. Once you have been
> thoroughly annoyed and insulted, you become defensive and
> lose focus of what you were trying to say in the first
> place! Thus, the discussion drifts away from the security
> problem.

Peter, please don't start your rant again.

> > Because I talked about a LOCAL ROOT EXPLOIT ..that isn't
> > mentioned in the GENTOO SECURITY ML because its in the
> > bugs repository?
>
> The advantage of dealing with security problems _only_ in
> the bug tracking system is that practically nobody follows
> the bug tracking system -- whereas lots of people read the
> mailing list. Thus, there is less transparency, which means
> more freedom for the Gentoo core team to deal with security
> problems in a way that doesn't interfere with internal
> politics (read: egos).

The reason you haven't seen an email about it is because security
advisories get sent to gentoo-announce. It was decided a few years ago
to move those emails from here to there because there were a lot more
people on that list. The other reason you haven't seen any email about
this from us is because we go through a process to make sure all the
ebuilds are updated before we release an announcement (which is
documented on our site [1] ). Its not being ignored one bit, its just
not very visible unless you follow bugs.

> > If issues like a LOCAL ROOT EXPLOIT aren't mentioned
> > here, WHY THE HELL does this ML exist?
>
> As it happens, I have a concrete proposal how to make this
> list more useful! How about having the bug tracking system
> forward all new security-related entries to this mailing
> list automatically? This policy would (a) increase
> transparency and (b) help finding volunteers from the
> community who care enough about a problem to be willing to
> dedicate time to fixing it. Thus: less work for the Gentoo
> core team, more security for everybody.

Add a watch on the bugs site like was previously mentioned. Perhaps that
should be better documented so people like him can follow things like that.

> > Where is explained that those who want to follow security
> > issues that may affect thier systems should track
> > bugs.gentoo.org?
>
> I'd very much like to see an answer to this question. The
> page <http://security.gentoo.org/> doesn't seem to say
> anything about.

See above. If this needs to be added, make a bug about it.

[1] http://www.gentoo.org/security/en/vulnerability-policy.xml

-Lance


--
gentoo-security@gentoo.org mailing list

On Sat, 08 Jan 2005 12:18:22 -0600, Lance Albertson <ramereth@gentoo.org> wrote:
> Peter Simons wrote:
> > Miguel Filipe writes:
> >
> > > I came "sounding like an ass"? Why is that?
> >
> > Because you criticized the Gentoo project. It works like
> > this: You bring up a security problem. In the replies you
> > get, though, your actual point is flat out dismissed or
> > never addressed at all. Instead, you and your behavior will
> > be discussed in a very provoking manner. Once you have been
> > thoroughly annoyed and insulted, you become defensive and
> > lose focus of what you were trying to say in the first
> > place! Thus, the discussion drifts away from the security
> > problem.
>
> Peter, please don't start your rant again.
>
> > > Because I talked about a LOCAL ROOT EXPLOIT ..that isn't
> > > mentioned in the GENTOO SECURITY ML because its in the
> > > bugs repository?
> >
> > The advantage of dealing with security problems _only_ in
> > the bug tracking system is that practically nobody follows
> > the bug tracking system -- whereas lots of people read the
> > mailing list. Thus, there is less transparency, which means
> > more freedom for the Gentoo core team to deal with security
> > problems in a way that doesn't interfere with internal
> > politics (read: egos).
>
> The reason you haven't seen an email about it is because security
> advisories get sent to gentoo-announce. It was decided a few years ago
> to move those emails from here to there because there were a lot more
> people on that list. The other reason you haven't seen any email about
> this from us is because we go through a process to make sure all the
> ebuilds are updated before we release an announcement (which is
> documented on our site [1] ). Its not being ignored one bit, its just
> not very visible unless you follow bugs.

You send the _security_ advisories to _announce_ because more people
are subscribed to it?
You only announce problems _after_ a fix is made??? Did it occur to
any of you that people might want to disable vulnerable sevices or
even *gasp* help produce fixes for the problems?
We have to watch bugs.gentoo to get a total picture?

I couldn't agree more with Peter, this ML is about as usefull as a
bicycle is to a fish.

>
> > > If issues like a LOCAL ROOT EXPLOIT aren't mentioned
> > > here, WHY THE HELL does this ML exist?
> >
> > As it happens, I have a concrete proposal how to make this
> > list more useful! How about having the bug tracking system
> > forward all new security-related entries to this mailing
> > list automatically? This policy would (a) increase
> > transparency and (b) help finding volunteers from the
> > community who care enough about a problem to be willing to
> > dedicate time to fixing it. Thus: less work for the Gentoo
> > core team, more security for everybody.
>
> Add a watch on the bugs site like was previously mentioned. Perhaps that
> should be better documented so people like him can follow things like that.
>
> > > Where is explained that those who want to follow security
> > > issues that may affect thier systems should track
> > > bugs.gentoo.org?
> >
> > I'd very much like to see an answer to this question. The
> > page <http://security.gentoo.org/> doesn't seem to say
> > anything about.
>
> See above. If this needs to be added, make a bug about it.
>
> [1] http://www.gentoo.org/security/en/vulnerability-policy.xml
>
> -Lance
>
>
> --
> gentoo-security@gentoo.org mailing list
>
>
--

Why are the pretty ones always insane?
-- J.G. Thirlwell

--
gentoo-security@gentoo.org mailing list

Sven Beukenex wrote:

> You send the _security_ advisories to _announce_ because more people
> are subscribed to it?
> You only announce problems _after_ a fix is made??? Did it occur to
> any of you that people might want to disable vulnerable sevices or
> even *gasp* help produce fixes for the problems?
> We have to watch bugs.gentoo to get a total picture?

Perhaps there should be another list or method for people like you to
know about things better. I'm not on the security team, so its not my
call. I wasn't around when they changed sending advisories from this
list to the other one, so I don't know the exact reasoning. I do see
your point, and it is valid, so perhaps we should come up with a
solution that works instead of flaming or yelling. Attitudes like that
just make us not want to help even more.

-Lance

--
gentoo-security@gentoo.org mailing list

Lance Albertson writes:

>> It works like this: You bring up a security problem. In
>> the replies you get, though, your actual point is flat
>> out dismissed or never addressed at all. Instead, you
>> and your behavior will be discussed in a very provoking
>> manner. Once you have been thoroughly annoyed and
>> insulted, you become defensive and lose focus of what
>> you were trying to say in the first place! Thus, the
>> discussion drifts away from the security problem.

> Peter, please don't start your rant again.

Quod erat demonstrandum.


> The reason you haven't seen an email about it is because
> security advisories get sent to gentoo-announce. [...]

I am aware of that. However, I don't see how this relates to
the proposal of sending newly reported security problems to
_this_ list instead.


> It was decided a few years ago to move those emails from
> here to there because there were a lot more people on
> that list.

I think you are mixing up two different things, Lance. These
advisories you are talking about are issued when problems
are _fixed_ in Gentoo. We were talking about being advised
about problems once they are _known_. As you may recall,
there's occasionally a significant amount of time between
these two points.


> [A security problem is] not being ignored one bit, its
> just not very visible unless you follow bugs.

Exactly. Since hardly anybody follows the bugs, this means
that security problems are practically invisible to most
users until they are fixed in Gentoo, which, as you may
recall, takes a significant amount of time on the occasion.
To remedy this situation, I'd like to make the following
proposal:

| How about having the bug tracking system forward all new
| security-related entries to this mailing list
| automatically? This policy would (a) increase
| transparency and (b) help finding volunteers from the
| community who care enough about a problem to be willing
| to dedicate time to fixing it. Thus: less work for the
| Gentoo core team, more security for everybody.

If you look closely, you'll find that I originally said that
in the very e-mail you are replying to. Curious that you
didn't address that part at all, isn't it?


> Add a watch on the bugs site like was previously mentioned.
> Perhaps that should be better documented so people like him
> can follow things like that.

Perhaps it would be simpler to post the security related
problems to this mailing list instead, so that "people like
him" don't need to configure watches on the bug tracking
system in order to learn about them?

Peter


--
gentoo-security@gentoo.org mailing list

To get it to compile, change modify_ldt_ldt_s to user_desc. For me it
just segfaults then, but I don't know if that's because I have
CONFIG_DEBUG_STACKOVERFLOW=y set.

--Kevin

On Sat, Jan 08, 2005 at 02:24:34PM +0100, Raul Lluna wrote:

> Anyway the exploit does not work for me.
> Tested against:
> - 2.6.5-gentoo-r1
> - 2.4.24-openmosix-r1
> - 2.4.26-gentoo-r13
> - 2.6.9-gentoo-r9
>
> And it does not even compile against:
> - 2.6.9-gentoo-r13, linux26-headers-2.6.8.1-r2, i686-pc-linux-gnu-3.3.4
>
> gcc -O2 -fomit-frame-pointer elflbl.c -o elflbl
> elflbl.c: In function `scan_mm_start':
> elflbl.c:426: error: storage size of `l' isn't known
> elflbl.c:426: error: storage size of `l' isn't known
> elflbl.c: In function `check_vma_flags':
> elflbl.c:545: warning: deprecated use of label at end of compound statement
>
> --
> gentoo-security@gentoo.org mailing list

Sven Beukenex wrote:

>On Sat, 08 Jan 2005 12:18:22 -0600, Lance Albertson <ramereth@gentoo.org> wrote:
>
>
>>Peter Simons wrote:
>>
>>
>>>Miguel Filipe writes:
>>>
>>> > I came "sounding like an ass"? Why is that?
>>>
>>>Because you criticized the Gentoo project. It works like
>>>this: You bring up a security problem. In the replies you
>>>get, though, your actual point is flat out dismissed or
>>>never addressed at all. Instead, you and your behavior will
>>>be discussed in a very provoking manner. Once you have been
>>>thoroughly annoyed and insulted, you become defensive and
>>>lose focus of what you were trying to say in the first
>>>place! Thus, the discussion drifts away from the security
>>>problem.
>>>
>>>
>>Peter, please don't start your rant again.
>>
>>
>>
>>> > Because I talked about a LOCAL ROOT EXPLOIT ..that isn't
>>> > mentioned in the GENTOO SECURITY ML because its in the
>>> > bugs repository?
>>>
>>>The advantage of dealing with security problems _only_ in
>>>the bug tracking system is that practically nobody follows
>>>the bug tracking system -- whereas lots of people read the
>>>mailing list. Thus, there is less transparency, which means
>>>more freedom for the Gentoo core team to deal with security
>>>problems in a way that doesn't interfere with internal
>>>politics (read: egos).
>>>
>>>
>>The reason you haven't seen an email about it is because security
>>advisories get sent to gentoo-announce. It was decided a few years ago
>>to move those emails from here to there because there were a lot more
>>people on that list. The other reason you haven't seen any email about
>>this from us is because we go through a process to make sure all the
>>ebuilds are updated before we release an announcement (which is
>>documented on our site [1] ). Its not being ignored one bit, its just
>>not very visible unless you follow bugs.
>>
>>
>
>You send the _security_ advisories to _announce_ because more people
>are subscribed to it?
>You only announce problems _after_ a fix is made??? Did it occur to
>any of you that people might want to disable vulnerable sevices or
>even *gasp* help produce fixes for the problems?
>We have to watch bugs.gentoo to get a total picture?
>
>I couldn't agree more with Peter, this ML is about as usefull as a
>bicycle is to a fish.
>
>
>
The absolute outrage and lack of manners here is very
disappointing. Now I would be one to agree that it's quite backwards,
but the documentation clearly states where all the GLSA's are
announced. Someone already stated that one could subscribe to
security@gentoo.org on bugzilla. Then people complain that it would be
too much traffic, filtering the crap from the actual vulnerabilities.
As if forwarding all the traffic to the list would be any better, or any
different? Either way anyone that subscribes is going to get useless
bugs that were misassigned, or already patched, or are downright bogus,
god forbid they have to sort through them all.


>>> > If issues like a LOCAL ROOT EXPLOIT aren't mentioned
>>> > here, WHY THE HELL does this ML exist?
>>>
>>>As it happens, I have a concrete proposal how to make this
>>>list more useful! How about having the bug tracking system
>>>forward all new security-related entries to this mailing
>>>list automatically? This policy would (a) increase
>>>transparency and (b) help finding volunteers from the
>>>community who care enough about a problem to be willing to
>>>dedicate time to fixing it. Thus: less work for the Gentoo
>>>core team, more security for everybody.
>>>
>>>
>>Add a watch on the bugs site like was previously mentioned. Perhaps that
>>should be better documented so people like him can follow things like that.
>>
>>
>>
>>> > Where is explained that those who want to follow security
>>> > issues that may affect thier systems should track
>>> > bugs.gentoo.org?
>>>
>>>I'd very much like to see an answer to this question. The
>>>page <http://security.gentoo.org/> doesn't seem to say
>>>anything about.
>>>
>>>
>>See above. If this needs to be added, make a bug about it.
>>
>>[1] http://www.gentoo.org/security/en/vulnerability-policy.xml
>>
>>-Lance
>>
>>
>>--
>>gentoo-security@gentoo.org mailing list
>>
>>
>>
>>


--
Alec Warner
Spartasoft Secretary ( spartasoft.msu.edu )
Junior Computer Science
Michigan State University
warnera6@egr.msu.edu


--
gentoo-security@gentoo.org mailing list

On Sat, 08 Jan 2005 14:02:06 -0500, Alec <warnera6@egr.msu.edu> wrote:

> >You send the _security_ advisories to _announce_ because more people
> >are subscribed to it?
> >You only announce problems _after_ a fix is made??? Did it occur to
> >any of you that people might want to disable vulnerable sevices or
> >even *gasp* help produce fixes for the problems?
> >We have to watch bugs.gentoo to get a total picture?
> >
> >I couldn't agree more with Peter, this ML is about as usefull as a
> >bicycle is to a fish.
> >
> >
> >
> The absolute outrage and lack of manners here is very
> disappointing. Now I would be one to agree that it's quite backwards,
> but the documentation clearly states where all the GLSA's are
> announced. Someone already stated that one could subscribe to
> security@gentoo.org on bugzilla. Then people complain that it would be
> too much traffic, filtering the crap from the actual vulnerabilities.
> As if forwarding all the traffic to the list would be any better, or any
> different? Either way anyone that subscribes is going to get useless
> bugs that were misassigned, or already patched, or are downright bogus,
> god forbid they have to sort through them all.
>
>
> --
> Alec Warner
> Spartasoft Secretary ( spartasoft.msu.edu )
> Junior Computer Science
> Michigan State University
> warnera6@egr.msu.edu
>
>

What I find disappointing is that you react in this way to my mail,
not to the flames the original poster got. The only reason I reacted
this strongly is because frankly, _I_ am outraged that people who
raise serious questions or here are treated like filth.
Please look at the original post again, do you actually think Mike
Frysinger is right in calling Miguel an ass?

--

Why are the pretty ones always insane?
-- J.G. Thirlwell

--
gentoo-security@gentoo.org mailing list

The last 20 posts have had nothing practical to do with this local root
exploit. If it's the policy that this list is not used as a forum to
notify people of *major* security exploits even before the fix is released
then there's nothing to talk about. A policy is a policy. However, if
this project is supposed to be community based and democratic and a
majority of people think that it will increase it's efficiency and
effectiveness to have notifications posted to this list, then maybe the
people should take notice and consider it, rather than throwing around
insults. Maybe the user base on this list should be consulted on what
they think is best?

If not, that's fine, but nobody should have illusions about the gentoo
community having an easily accesible avenue to receive *extremely
important* notifications, even without a fix, such as these. Nor should
they delude themselves in thinking that they respond appropriately to the
concerns of their userbase. Subscribing to a bug tracking list to track
local and remote root exploits is an unreasonable request to make of
sysadmins who frankly don't have the time to deal with it. As many others
have already mentioned, this isn't good enough. Is there some other
solution we can work towards?



k.

--
gentoo-security@gentoo.org mailing list

Sorry for interrupting this flamewar....

A simplified patch has been included in 2.6.10-bk. It can be found at

http://linux.bkbits.net:8080/linux-2.5/cset%401.2251?nav=index.html

or below.

I have only tested this patch on 2.6.10-mm2, and there it is *not*
sufficient. The machine does an instant reset, just as without the patch
or the older version from 2.4.

Regards

# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
# 2005/01/07 15:58:52-08:00 torvalds@ppc970.osdl.org
# Fix do_brk() locking in library loader
#
# The regular executable loader path doesn't need the locking,
# because it's the only user of its VM. But the same is not true
# at library load time. So get the mmap semaphore.
#
# fs/binfmt_aout.c
# 2005/01/07 15:58:44-08:00 torvalds@ppc970.osdl.org +2 -0
# Fix do_brk() locking in library loader
#
# fs/binfmt_elf.c
# 2005/01/07 15:58:45-08:00 torvalds@ppc970.osdl.org +4 -1
# Fix do_brk() locking in library loader
#
diff -Nru a/fs/binfmt_aout.c b/fs/binfmt_aout.c
--- a/fs/binfmt_aout.c 2005-01-08 12:21:32 -08:00
+++ b/fs/binfmt_aout.c 2005-01-08 12:21:32 -08:00
@@ -512,7 +512,9 @@
len = PAGE_ALIGN(ex.a_text + ex.a_data);
bss = ex.a_text + ex.a_data + ex.a_bss;
if (bss > len) {
+ down_write(&current->mm->mmap_sem);
error = do_brk(start_addr + len, bss - len);
+ up_write(&current->mm->mmap_sem);
retval = error;
if (error != start_addr + len)
goto out;
diff -Nru a/fs/binfmt_elf.c b/fs/binfmt_elf.c
--- a/fs/binfmt_elf.c 2005-01-08 12:21:32 -08:00
+++ b/fs/binfmt_elf.c 2005-01-08 12:21:32 -08:00
@@ -1024,8 +1024,11 @@

len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr +
ELF_MIN_ALIGN - 1);
bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
- if (bss > len)
+ if (bss > len) {
+ down_write(&current->mm->mmap_sem);
do_brk(len, bss - len);
+ up_write(&current->mm->mmap_sem);
+ }
error = 0;

out_free_ph:

--
gentoo-security@gentoo.org mailing list

Thank you!

I was about to send a email, asking if anyone knew a patch for
linux2.6.10 since both marcelo tossati and alan cox fixes were not
"approved" by linus torvalds.



On Sat, 8 Jan 2005 21:51:06 +0100, Marc Ballarin <Ballarin.Marc@gmx.de> wrote:
> Sorry for interrupting this flamewar....
>
> A simplified patch has been included in 2.6.10-bk. It can be found at
>
> http://linux.bkbits.net:8080/linux-2.5/cset%401.2251?nav=index.html
>
> or below.
>
> I have only tested this patch on 2.6.10-mm2, and there it is *not*
> sufficient. The machine does an instant reset, just as without the patch
> or the older version from 2.4.
>
> Regards
>
> # This is a BitKeeper generated diff -Nru style patch.
> #
> # ChangeSet
> # 2005/01/07 15:58:52-08:00 torvalds@ppc970.osdl.org
> # Fix do_brk() locking in library loader
> #
> # The regular executable loader path doesn't need the locking,
> # because it's the only user of its VM. But the same is not true
> # at library load time. So get the mmap semaphore.
> #
> # fs/binfmt_aout.c
> # 2005/01/07 15:58:44-08:00 torvalds@ppc970.osdl.org +2 -0
> # Fix do_brk() locking in library loader
> #
> # fs/binfmt_elf.c
> # 2005/01/07 15:58:45-08:00 torvalds@ppc970.osdl.org +4 -1
> # Fix do_brk() locking in library loader
> #
> diff -Nru a/fs/binfmt_aout.c b/fs/binfmt_aout.c
> --- a/fs/binfmt_aout.c 2005-01-08 12:21:32 -08:00
> +++ b/fs/binfmt_aout.c 2005-01-08 12:21:32 -08:00
> @@ -512,7 +512,9 @@
> len = PAGE_ALIGN(ex.a_text + ex.a_data);
> bss = ex.a_text + ex.a_data + ex.a_bss;
> if (bss > len) {
> + down_write(&current->mm->mmap_sem);
> error = do_brk(start_addr + len, bss - len);
> + up_write(&current->mm->mmap_sem);
> retval = error;
> if (error != start_addr + len)
> goto out;
> diff -Nru a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> --- a/fs/binfmt_elf.c 2005-01-08 12:21:32 -08:00
> +++ b/fs/binfmt_elf.c 2005-01-08 12:21:32 -08:00
> @@ -1024,8 +1024,11 @@
>
> len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr +
> ELF_MIN_ALIGN - 1);
> bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
> - if (bss > len)
> + if (bss > len) {
> + down_write(&current->mm->mmap_sem);
> do_brk(len, bss - len);
> + up_write(&current->mm->mmap_sem);
> + }
> error = 0;
>
> out_free_ph:
>
> --
> gentoo-security@gentoo.org mailing list
>
>


--
Miguel Sousa Filipe

--
gentoo-security@gentoo.org mailing list

On 8 Jan 2005, at 21:13, Kris wrote:
> Maybe the user base on this list should be consulted on what they
> think is best?

The ``user base'' mostly hasn't deal with any security problems. I have
to defend Gentoo on this one. On most distributions the security lists
are closed. There are reasons for this, things shouldn't go public.
Sometimes they agree on a release date etc. Subscribe to Bugtrac etc.
if you are interested in zero-day exploits.

Gentoo's process is reasonably open as almost all is documented within
Bugzilla. You could watch security@gentoo.org easily. Sure you get much
junk, but what do you expect. I would rather see the Gentoo developers
spend time to fix the bugs and write concrete advisories than
duplicating information from the Bugzilla on this list. Some seem to
forget that all the work within Gentoo is volunteer-based. On other
distributions you only receive announcements, or you have to subscribe
to a notification list for all bugs, not only the security-related
ones.

Did you pay anyone at Gentoo? Did you donate? Did you pay somebody who
verifies all bugs and rates them and sends an announcement to this list
when he thinks one is serious enough when you are subscribed to
Bugtrac/Securityfocus anyway? Get real.

I agree with you that the behaviour of some on this list is harassing.
People could deal with others more gently. But the flamewar would start
anyway, as I have learned from the past. English isn't my mother
language either, but you shouldn't use your new learned insults to
throw them randomly to others.

Ah I should stop ranting... ):

Regards,
Philipp Kern

>Please look at the original post again, do you actually think Mike
>Frysinger is right in calling Miguel an ass?
>
>
>
I could care less. If someone thinks a policy change is necessary, then
start a discussion and file a bug about it. If the ML doesn't serve the
purpose you think it does, file a bug or unsubscribe. I'm not going to
sit here and argue about whose conduct was right or wrong, thats not the
point of the list.

--
Alec Warner
Spartasoft Secretary ( spartasoft.msu.edu )
Junior Computer Science
Michigan State University
warnera6@egr.msu.edu


--
gentoo-security@gentoo.org mailing list

On 8 Jan 2005, at 22:54, Miguel Filipe wrote:
> I was about to send a email, asking if anyone knew a patch for
> linux2.6.10 since both marcelo tossati and alan cox fixes were not
> "approved" by linus torvalds.

Perhaps you should have send us the link to the LKML entry where the
patches were denied by Linus.

Regards,
Philipp Kern

Point taken. I do not pay for the service, and I do agree that the
volunteer effort that's contributed should be directed towards
development. However, I think that if a policy change is requested by
enough people, I honestly don't think it would require that much effort to
post brief security related announcements. Just look at all the effort
being put in to crafting all this belittling banter.

Ok, maybe I misunderstand the purpose of this list? It is a security
list, and a major security hole was discovered, that affects the gentoo
kernel sources, to which I have good faith are being worked on, but we
have not been formally informed? Call me crazy, but this just isn't a
bug, it is also a security issue, which, I think, belongs on a security
list. Maybe I'm totally out of line here?

Your ranting is appreciated.

k.

On Sun, 9 Jan 2005, Philipp Kern wrote:

> On 8 Jan 2005, at 21:13, Kris wrote:
>> Maybe the user base on this list should be consulted on what they think
>> is best?
>
> The ``user base'' mostly hasn't deal with any security problems. I have to
> defend Gentoo on this one. On most distributions the security lists are
> closed. There are reasons for this, things shouldn't go public. Sometimes
> they agree on a release date etc. Subscribe to Bugtrac etc. if you are
> interested in zero-day exploits.
>
> Gentoo's process is reasonably open as almost all is documented within
> Bugzilla. You could watch security@gentoo.org easily. Sure you get much junk,
> but what do you expect. I would rather see the Gentoo developers spend time
> to fix the bugs and write concrete advisories than duplicating information
> from the Bugzilla on this list. Some seem to forget that all the work within
> Gentoo is volunteer-based. On other distributions you only receive
> announcements, or you have to subscribe to a notification list for all bugs,
> not only the security-related ones.
>
> Did you pay anyone at Gentoo? Did you donate? Did you pay somebody who
> verifies all bugs and rates them and sends an announcement to this list when
> he thinks one is serious enough when you are subscribed to
> Bugtrac/Securityfocus anyway? Get real.
>
> I agree with you that the behaviour of some on this list is harassing. People
> could deal with others more gently. But the flamewar would start anyway, as I
> have learned from the past. English isn't my mother language either, but you
> shouldn't use your new learned insults to throw them randomly to others.
>
> Ah I should stop ranting... ):
>
> Regards,
> Philipp Kern
>

--
gentoo-security@gentoo.org mailing list

On Sat, Jan 08, 2005 at 07:02:05PM +0100, Daniel Brandt wrote:
> This is suboptimal at best. There are tons of pure shit posted in
> bugzilla,

What other information do you want than bugs that are categorized as
Vulnerabilities in the Gentoo Security product? That's about the most
info you could desire, I would imagine--every vulnerability filed for
Gentoo systems.

I'd really like to help you out, but I don't see any valid points in the
above. "Pure shit" is subjective, of course, but that is the live info
that we, the devs, use. If it's sufficient for us, it's probably
sufficient for you, too.

> Interesting to note is that as soon as anyone know of a new bug and
> post about it here they are treated like idiots. This I also know
> from personal experience.
> See http://thread.gmane.org/gmane.linux.gentoo.security/598.

I don't see anybody treating you like an idiot in that link, but
whatever. Your mentioning of old grudges and ego scrapes sure makes me
take your complaint more seriously, though. Really.

> Everytime I notice new mail in this folder I realize I forgot to
> unsubscribe.. I think I just might take time to do it right now.

If that's a threat, uh, I can't say I mind. But for the record, if you
want us to change something, just try to delineate a little better what
you want changed. For instance, where you called bugzilla "pure shit," I
might have said, "Bugzilla is insufficient for my bugtracking needs fo
rthe following reasons: [insert reasons here]." See what I mean?

Hope that helps.

--
Dan Margolis
Gentoo Security/Audit

On Sat, Jan 08, 2005 at 10:31:18AM -0000, Carlos Silva wrote:
> I don't think that. a local root exploit is something bad for sysadmins.
> and sysadmins have more things to do that just watch every bug in
> bugs.gentoo.org looking for root exploits or some other security flaws.
> I think that the gentoo-security ML should "notify" us about this
> problems.

It sounds like you were unaware of the feature where you can subscribe
to *specific* bugs in bugzilla, since you mentioned that you shouldn't
have to track "every bug in bugs.gentoo.org". So perhaps that's all you
want? :)

--
Dan Margolis
Gentoo Security/Audit

On Sat, Jan 08, 2005 at 05:45:49PM +0100, Peter Simons wrote:
> The advantage of dealing with security problems _only_ in
> the bug tracking system is that practically nobody follows
> the bug tracking system -- whereas lots of people read the
> mailing list. Thus, there is less transparency, which means
> more freedom for the Gentoo core team to deal with security
> problems in a way that doesn't interfere with internal
> politics (read: egos).

Peter, this sounds, quite honestly, like you have a bit of an issue with
paranoia. This is the second time in maybe as many months in which
you've accused the Gentoo developer community of conspiring to keep you
from finding out about vulnerabilities, which is, quite honestly,
ridiculous. If we weren't devoted to the idea of openness, we wouldn't
volunteer our time with an open source project.

> As it happens, I have a concrete proposal how to make this
> list more useful! How about having the bug tracking system
> forward all new security-related entries to this mailing
> list automatically? This policy would (a) increase
> transparency and (b) help finding volunteers from the
> community who care enough about a problem to be willing to
> dedicate time to fixing it. Thus: less work for the Gentoo
> core team, more security for everybody.

It's not terribly difficult to subscribe to bugzilla, and I don't see
how the added effort of doing so implies a deliberate attempt to hide
the vulnerability process. As for advertising security entries on this
list, there are currently 81 unclosed bugs in the security product. The
turnover rate is quite high, and the volume of mail would clutter this
list and, in my personal opinion, make it more difficult to use this
list for what it is meant to be: security discussion. Given that infra
apparently feels the same way, the fastest solution for your personal
needs might be for you to sign up a Yahoo! group that is subscribed to
security bugs on Bugzilla.

The point here is that anyone can form a list with any internal
information. It's all there. The entire process is open, and any
accusations of conspiratorial secrecy are really quite hard to take
seriously. It's not just that we don't hide info, we actually publicise
it quite well. We send GLSAs to not just our own lists, but to a number
of public lists. We publish GLSAs in an RDF feed. We make Bugzilla
entries available on the web, via e-mail, and even in iCal format
(pretty slick, eh?).

So seriously, Pete, if you want to find a conspiracy, try the White
House. You won't find one here.
--
Dan Margolis
Gentoo Security/Audit

Dan Margolis writes:

> Peter, this sounds, quite honestly, like you have a bit
> of an issue with paranoia.

Dan, this sounds, quite honestly, like you are side-stepping
my points by attacking me instead of my argument. And
attacking people who argue to increase security by calling
them PARANOID of all things is disappointingly uninventive
at that. Maybe this little example helps illustrating why ad
hominem attacks are considered logical fallacies:

"Isaac Newton was a prick. If you ever read about the way
he behaved, you'll see that. Therefore, force does not
equal mass times acceleration."

Now it's your turn to say: "You are comparing yourself to
Isaac Newton now? You clearly are megalomaniac, so posting
security problems to this list once they are known is not a
good idea."


> As for advertising security entries on this list, there
> are currently 81 unclosed bugs in the security product.
> The turnover rate is quite high, and the volume of mail
> would clutter this list and, in my personal opinion, make
> it more difficult to use this list for what it is meant
> to be: security discussion.

Look, this may come as a shock, but entries in the Gentoo
bug tracking system actually feature all kinds of meta
information, like severity, categorization of the problem,
categorizations of every modification made to the bug, and
whatnot else. If I am not mistaken, Bugzilla comes with an
excessive array of mechanisms that allow you to configure
which events are forwarded via e-mail and which ones are
not.

For instance: If a _new_ entry is made, the bug's
description and URL to the page in bugs.gentoo.org could be
forwarded to the list, but all the 200+ additional comments
appended to it in the process of ebuild hackery and other
administrative problems could NOT be forwarded. So the
interested reader would be informed about every bug and
could decide himself which ones to follow in detail through
the bug tracking system and which ones to ignore.

I realize text filtering techniques are still a very
experimental branch of information theory research, but I
thought Gentoo was the kind of bleeding-edge distribution
that embraced wild and promising technologies? Where is your
spirit of adventure? Why don't you use your imagination to
come up with ways to improve the situation, rather than
coming up with reasons why it is utterly impossible to
improve the situation?


> Given that infra apparently feels the same way, the
> fastest solution for your personal needs might be for you
> to sign up a Yahoo! group that is subscribed to security
> bugs on Bugzilla.

I sure could set up all kind of mailing lists and forward
all kinds of stuff to it for my personal pleasure, but that
doesn't really improve the utilization of _this_ list, does
it?


> It's not just that we don't hide info, we actually
> publicise it quite well. We send GLSAs to not just our
> own lists, but to a number of public lists. We publish
> GLSAs in an RDF feed.

The difference between advisories that are published once a
bug is fixed and advisories that are published once the bug
is known is subtle, I know. So by all means, keep mixing it
up. It's not like anybody minds explaining the same things
over and over again because you are attacking strawmans
instead of the point being made.


> We make Bugzilla entries available on the web, via
> e-mail, and even in iCal format (pretty slick, eh?).

I am impressed. All these people who have been wondering why
an exploit that allows local users to gain superuser
privileges hasn't been published on this mailing list
although it was known and reported to Gentoo should probably
install iCal, and then little disappointments like that
would be a thing of the past.

Frankly, ridiculing your points is so damn easy it's not
even fun. The little gremlin on my shoulder thinks you are
doing that on purpose to annoy me. I just hope he is wrong!
Wait a second. There's someone at the door ...


--
gentoo-security@gentoo.org mailing list

Dan Margolis writes:

> Carlos Silva writes:

>> A local root exploit is something bad for sysadmins.
>> [...] I think that the gentoo-security ML should
>> "notify" us about this problems.

> It sounds like you were unaware of the feature where you
> can subscribe to *specific* bugs in bugzilla [...].

That sounds awesome, Dan. Could you please post the URL of
the bug that we all can subscribe to in order to learn about
new local root exploits once they are known?

Peter


--
gentoo-security@gentoo.org mailing list

Going around about the purpose of the list every month or so seems a little
unnecessary, in my opinion. I hope that delineating 'discussion' from
'notification' might help.

This list is for 'security discussion', not 'security notification'. Also
Simple. Posting, positing, and discussing known or potential vulnerabilities
here is perfectly within bounds.

Attacking individuals in any online format is almost certainly bound to create
a flame-war, and doesn't help the quality or signal to noise ratio of the
'discussion'.

If you want *notification* to monitor the security of Gentoo, monitor
Bugzilla's 'security' component. Simple. There, the answer is in the open.

The GLSA's and the 'security' component in Bugzilla provide 'full coverage'
and a highly configurable *notification* interface, so I don't see any need
to extend yet another *notification* interface by cluttering this
*discussion* list.

The original post of the vulnerability that spawned this thread was likewise a
good deed, and we should encourage people to post things that they think the
list or the broader community should be aware of. Good Job, Keep it up.

Discussing ways of closing a vulnerability is clearly 'in scope' for the
purpose of this list, as the broader community may have ideas. Good Job,
Keep it up. I've gotten good ideas from this list in general, and from
specific inquiries I've made in the past on this list. Posting a link to the
bug was also a great 'full disclosure' response. Good Job, Keep it up.

Regards,

- Brian

--
gentoo-security@gentoo.org mailing list

Going around about the purpose of the list every month or so seems a little
unnecessary, in my opinion. I hope that delineating 'discussion' from
'notification' might help.

This list is for 'security discussion', not 'security notification'. Also
Simple. Posting, positing, and discussing known or potential vulnerabilities
here is perfectly within bounds.

Attacking individuals in any online format is almost certainly bound to create
a flame-war, and doesn't help the quality or signal to noise ratio of the
'discussion'.

If you want *notification* to monitor the security of Gentoo, monitor
Bugzilla's 'security' component. Simple. There, the answer is in the open.

The GLSA's and the 'security' component in Bugzilla provide 'full coverage'
and a highly configurable *notification* interface, so I don't see any need
to extend yet another *notification* interface by cluttering this
*discussion* list.

The original post of the vulnerability that spawned this thread was likewise a
good deed, and we should encourage people to post things that they think the
list or the broader community should be aware of. Good Job, Keep it up.

Discussing ways of closing a vulnerability is clearly 'in scope' for the
purpose of this list, as the broader community may have ideas. Good Job,
Keep it up. I've gotten good ideas from this list in general, and from
specific inquiries I've made in the past on this list. Posting a link to the
bug was also a great 'full disclosure' response. Good Job, Keep it up.

Regards,

- Brian

--
gentoo-security@gentoo.org mailing list

On 9 Jan 2005, at 14:32, Brian G. Peterson wrote:
<snip>

I would put my ACK under everything said. Well done, Brian.

Regards,
Philipp Kern


--
gentoo-security@gentoo.org mailing list

I am another user who was under the impression that security problems
would be posted to this list when found, rather than after they are
fixed. Oh well.

Someone mentioned a yahoo groups list for bug announcements (rather
than fixes) could we get details of that placed on the page:

http://www.gentoo.org/main/en/lists.xml

And given that a sample of people on this list, me included, seem to
have misunderstood the list details, maybe an update is in order.



Peter Simons writes:
|
| > Given that infra apparently feels the same way, the
| > fastest solution for your personal needs might be for you
| > to sign up a Yahoo! group that is subscribed to security
| > bugs on Bugzilla.
|
| I sure could set up all kind of mailing lists and forward
| all kinds of stuff to it for my personal pleasure, but that
| doesn't really improve the utilization of _this_ list, does
| it?

I think there has been an indication that a number of people are
interested in such a list. Maybe if bugzilla is upto it it could be a
worthy list where ONLY bugzilla can post, creating a little more
signal. ;)

Maybe rather than another round of 'discussion' about people
we should discuss the creation of:

gentoo-security-discussion@
gentoo-security-announce@
gentoo-security-resolved@

or atleast this new list that it seems a few people would be
interested in.


Ill leave:

gentoo-security-namecalling@

for later :) <-- Note ':)'

--
/ `Rev Dr' cam at darkqueen.org Roleplaying, virtual goth \
< http://darkqueen.org Poly, *nix, Python, C/C++, genetics, ATM >
\ [+61 3] 9809 1523[h] skeptic, Evil GM(tm). Sysadmin for hire /
---------- Random Quote ----------
Q: How many mathematicians does it take to screw in a lightbulb?
A: One. He gives it to six Californians, thereby reducing the problem
to the earlier joke.

--
gentoo-security@gentoo.org mailing list

Brian G. Peterson wrote:

> This list is for 'security discussion', not 'security notification'. Also
> Simple. Posting, positing, and discussing known or potential vulnerabilities
> here is perfectly within bounds.
> [...]
> If you want *notification* to monitor the security of Gentoo, monitor
> Bugzilla's 'security' component. Simple. There, the answer is in the open.

Thanks for summing it up, Brian.

I'll try to address the concerns raised by this thread, which is mostly
about users information. Some of you feel that they are not correctly
informed about security issues. We follow a policy that was presented
here on this ML for comments about 6 months ago, and noone made a single
comment about it. Some of you have now have issues with it, I'll try to
answer to them.

1/ Major security issues (like the recent local root) should be posted
on this ML because gentoo-security subscribers deserve to know

Why not. You can post it here if you want. But what we really need is
that people post it in Bugzilla, because it's our workflow tool. Posting
it here will raise awareness, but it won't speed up resolution. That was
the idea of the first answers (Mike Frysinger, although not a member of
the security team, is not a very subtle guy and goes straight to the point).

2/ Gentoo has the duty of informing us of vulnerabilities when they are
known, not when they are fixed.

Look around and you will find that Gentoo has the most open security
resolution process of ALL Linux distributions. Security bugs are in
public bugzilla, we discuss those bugs in a public IRC channel
(#gentoo-security). The information is out there, but you want the
Gentoo Security Team to push it to you. Sorry, we won't do that. We are
completely overloaded already by just trying to handle all those
vulnerabilities and publish Security Advisories when they are fixed. The
GLSA Coordinators team is just 4 guys with day jobs, and we still manage
to do as much (and sometimes better) than commercial distributions with
full-staffed security teams. No distribution does what you're asking
for. Even if you pay RedHat for it, they still won't push information to
you about still unfixed vulnerabilities. Furthermore, information IS out
there. Go pick it up...

3/ Information on kernel vulnerabilities is not good

Every time this particular flamewar explodes on this list, it's about a
kernel vulnerability. I didn't see (yet) one about a root exploit in
mit-krb5 or any other package, which as MUCH MORE impact than a barelay
exploitable local root. There is a reason for that. Kernel
vulnerabilities take longer to fix (for all sources) and GLSAs about
kernel vulnerabilities are always overdue. Our organisation and the
rules we follow are good for packages but not for kernels. We are
working on improving that. We feel you should be better informed about
kernel vulnerabilities, as soon as they are detected and as soon as a
particular sources set is fixed, to be able to know when to upgrade
kernels and planify everything. We'll stop issuing GLSAs about kernel
issues and replace them by a kernel security information webpage. This
is a project under way and you should see progress about it very soon.

4/ The Gentoo developers are a bunch of lazy asses that can't suffer
constructive comments and want to keep everything for themselves

I am fed up with this crap. As an operational manager for the Security
Team, I spend most of my free time wrangling security bugs, pushing the
other developers to provide fixed packages, drafting GLSAs, sending
them, scouting multiple security mailing-lists so that YOU, the user,
can be protected. You may think we are a closed group which does funny
stuff and keep you away from it. Hear this : this job is not funny. I
would like there to be more people in the security team so that I can
handle more of the things I like in Gentoo (like embedded). But I can't.
I asked for help here a few times but nobody steps up. When they do,
they quickly realize this work is NOT fun and they disappear. If
sometime in the future there isn't anyone watching, fixing and
publishing security advisories in Gentoo, maybe you'll look back at this
this kind of thread and see the reason.

I will reiterate my call for help here. We need dedicated people, which
will spend a few hours per day handling security bugs (yes, the "Full of
Shit" Bugzilla has to be sorted out). You won't be paid, except by acid
remarks on this ML telling you should do more. Candidates ?

http://www.gentoo.org/proj/en/security/
http://www.gentoo.org/security/en/padawans.xml

--
Thierry Carrez (Koon)
Operational Manager, Gentoo Linux Security

On Sat, 8 Jan 2005 19:35:57 -0500 (EST)
Kris <kris@theendless.org> wrote:

> I honestly don't think it would require that much effort to post brief
> security related announcements.

And besides that it doesn't even have to be done by Gentoo devs. ;)

> Ok, maybe I misunderstand the purpose of this list? It is a security
> list, and a major security hole was discovered, that affects the
> gentoo kernel sources, to which I have good faith are being worked on,
> but we have not been formally informed?

Somebody posted info about the vulnerability to this list. After this
you can look for the relevant bug in Bugzilla and add yourself to CC if
you're interested [1]. When there is a solution, a GLSA [2] wil be
issued.

IMHO this process doesn't sound like to much trouble and should be
transparent enough.

[1] http://bugs.gentoo.org/show_bug.cgi?id=77025

[2] Please don't aks me why GLSAs aren't cross-posted to -security as
well, this was decided before I've joined the team.

--
Michael Kohl <citizen428@gentoo.org>

GnuPG key: 0x90CA09E3/4D21 916E DBCE 72B8 CDC5 BD87 DE2D 91A2 90CA 09E3

--
gentoo-security@gentoo.org mailing list

Michael Kohl wrote:

>>I honestly don't think it would require that much effort to post brief
>>security related announcements.
>
> And besides that it doesn't even have to be done by Gentoo devs. ;)

Just before I joined the security team there was someone that said he
would do that. He called them "GLVP" (for Gentoo Linux Pending
Vulnerabilities). He said he would post to gentoo-security each
Saturday. Guess what ? He posted one and never posted again. Proof for
the paranoid types out there :

http://marc.theaimsgroup.com/?l=gentoo-security&w=2&r=1&s=GLVP&q=b

Guess history keeps repeating itself. It's not that easy to regularly
commit free time to do work. It's easy to complain, it's not that easy
to be part of the solution.

--
Koon
Operational Manager, Gentoo Linux Security

On Sun, 9 Jan 2005, Thierry Carrez wrote:

> Just before I joined the security team there was someone that said he
> would do that. He called them "GLVP" (for Gentoo Linux Pending
> Vulnerabilities). He said he would post to gentoo-security each
> Saturday. Guess what ? He posted one and never posted again. Proof for
> the paranoid types out there :
>
> http://marc.theaimsgroup.com/?l=gentoo-security&w=2&r=1&s=GLVP&q=b
>
> Guess history keeps repeating itself. It's not that easy to regularly
> commit free time to do work. It's easy to complain, it's not that easy
> to be part of the solution.

Ok, sorry for the "noob" remark/question here but can't this be automated
somehow? Like if someone files a security-related bug on bugs.gentoo.org
this could auto-dispatch an email to a relevant list... This way one would
not be dependent upon "manual labour" (for this particular task anyway).
Automate what can be automated I'd say[0]. :-)

Best regards

Peter K

[0] If only there was a way to automate bug-hunting... ;-)

--
We Can Put an End to Word Attachments:
http://www.fsf.org/philosophy/no-word-attachments.html

--
gentoo-security@gentoo.org mailing list

I've read that on kernel trap, heres the url.

http://kerneltrap.org/node/4503

sorry for the late reply, I'm studying for my semester exams :)

regards,

On Sun, 9 Jan 2005 01:21:26 +0100, Philipp Kern <phil@philkern.de> wrote:
> On 8 Jan 2005, at 22:54, Miguel Filipe wrote:
> > I was about to send a email, asking if anyone knew a patch for
> > linux2.6.10 since both marcelo tossati and alan cox fixes were not
> > "approved" by linus torvalds.
>
> Perhaps you should have send us the link to the LKML entry where the
> patches were denied by Linus.
>
> Regards,
> Philipp Kern
>
>
>


--
Miguel Sousa Filipe

--
gentoo-security@gentoo.org mailing list

On Sat, 2005-01-08 at 00:21, Miguel Filipe wrote:
> Hi all,
>
> Just to let you ppl know that there is a local root exploit for linux
> 2.4.x and linux 2.6.x..
>
> full info:
> http://isec.pl/vulnerabilities/isec-0021-uselib.txt

In keeping on topic with your orig posting.

We have a bug open for this one, it can be found here.
http://bugs.gentoo.org/show_bug.cgi?id=77025

Note: the same patch does not work for PaX and vanilla users.

> Its kind of strange that this kind of information pops up on slashdot
> but doesn't appear in the gentoo-security ML.

Not so stange really, but thank you for passing the info along.

> greets to all!

salutes


--
Ned Ludd <solar@gentoo.org>
Gentoo (hardened,security,infrastructure,embedded) Developer

On Sunday 09 January 2005 01:36 pm, Peter Karlsson wrote:
> Ok, sorry for the "noob" remark/question here but can't this be automated
> somehow? Like if someone files a security-related bug on bugs.gentoo.org
> this could auto-dispatch an email to a relevant list... This way one would
> not be dependent upon "manual labour" (for this particular task anyway).
> Automate what can be automated I'd say[0]. :-)

The solution to this has already been discussed. This is a discussion list,
not a notification list. If you want notification, set up a watch that meets
your requirements on Bugzilla. Bugzilla will email you, and those who want a
discussion list without extra notifications can still have one.

Regards,

- Brian

--
gentoo-security@gentoo.org mailing list

"Brian G. Peterson" writes:
|
| The solution to this has already been discussed. This is a discussion list
| not a notification list. If you want notification, set up a watch that mee
| your requirements on Bugzilla. Bugzilla will email you, and those who want
| discussion list without extra notifications can still have one.


It seems to me:
* there is a want for such a list from a number of people
* it can be done via bugzilla

maybe im just lazy, but the next step doesnt seem to be
* (if new gentoo user who missed _this_ discussion) discover that
there is no announce for yet to be closed bugs
* individually set up bugzilla to do it.
* (repeat n hundred times)

the logical solution seems to be:
* set up a security-newly-discovered-start-to-panic@gentoo

I guess Im wondering what stops this happening again in 6 months with
all the people who have joined after this disussion finishes (given
that the list's function isnt clear) and then suddenly go 'hey....'.

And also if it is sane to have a number of gentoo users all perform
the same operation in the bugzilla when there seems to be a need for a
single list that:
* gets posts from bugzilla
* noone else can post to (suggestion, announce on the new list, any
discussion here)
* is an offical '@gentoo' list

In that way, we add a single new list with a clear reason for
existing, satisfy a lot of people and dont effect this group in
any way except maybe to get some more secuity discussion.


cheers,
cam

--
/ `Rev Dr' cam at darkqueen.org Roleplaying, virtual goth \
< http://darkqueen.org Poly, *nix, Python, C/C++, genetics, ATM >
\ [+61 3] 9809 1523[h] skeptic, Evil GM(tm). Sysadmin for hire /
---------- Random Quote ----------
Got Mole problems? Call Avogadro at 6.02 x 10^23.

--
gentoo-security@gentoo.org mailing list

> "Brian G. Peterson" writes:
>
> And also if it is sane to have a number of gentoo users all perform
> the same operation in the bugzilla when there seems to be a need for a
> single list that:
> * gets posts from bugzilla
> * noone else can post to (suggestion, announce on the new list, any
> discussion here)
> * is an offical '@gentoo' list
>
> In that way, we add a single new list with a clear reason for
> existing, satisfy a lot of people and dont effect this group in
> any way except maybe to get some more secuity discussion.

Completly agree.


--
gentoo-security@gentoo.org mailing list

On Monday 10 January 2005 02.13, Cameron Blackwood wrote:
> "Brian G. Peterson" writes:
> | The solution to this has already been discussed. This is a discussion
> | list not a notification list. If you want notification, set up a watch
> | that mee your requirements on Bugzilla. Bugzilla will email you, and
> | those who want discussion list without extra notifications can still
> | have one.
>
> It seems to me:
> * there is a want for such a list from a number of people
> * it can be done via bugzilla
>
> maybe im just lazy, but the next step doesnt seem to be
> * (if new gentoo user who missed _this_ discussion) discover that
> there is no announce for yet to be closed bugs
> * individually set up bugzilla to do it.
> * (repeat n hundred times)
>
> the logical solution seems to be:
> * set up a security-newly-discovered-start-to-panic@gentoo
>
> I guess Im wondering what stops this happening again in 6 months with
> all the people who have joined after this disussion finishes (given
> that the list's function isnt clear) and then suddenly go 'hey....'.
>
> And also if it is sane to have a number of gentoo users all perform
> the same operation in the bugzilla when there seems to be a need for a
> single list that:
> * gets posts from bugzilla
> * noone else can post to (suggestion, announce on the new list, any
> discussion here)
> * is an offical '@gentoo' list
>
> In that way, we add a single new list with a clear reason for
> existing, satisfy a lot of people and dont effect this group in
> any way except maybe to get some more secuity discussion.

I'm a fairly new gentoo-user, and I subscribed to this list thinking:
"Great, I'll be notified if something really serious, like a kernel root
exploit, happens!". I understand now that this is not the case, but that many
like me thought it was, or are wishing it were.

"security-newly-discovered-start-to-panic@gentoo" like Cameron describes it is
exactly what I was looking for. If technically possible, please create it!

Thanks,
/Johan

--
gentoo-security@gentoo.org mailing list

On Monday 10 January 2005 06:27, Johan Ekenberg wrote:>
> I'm a fairly new gentoo-user, and I subscribed to this list thinking:
> "Great, I'll be notified if something really serious, like a kernel root
> exploit, happens!". I understand now that this is not the case, but that
> many like me thought it was, or are wishing it were.
>
> "security-newly-discovered-start-to-panic@gentoo" like Cameron describes it
> is exactly what I was looking for. If technically possible, please create
> it!

I too was hoping that this list would cover _major_ vulns in the _major_
packages/components: apache, openssh, linux, bind, etc.
(I know what is a major package for one won't be applicable for others).

Obviously though, we wouldn't want this list flooded with notifications like
"some-php-webboard-0.01 has a xss flaw in it" (which is why I can't be
bothered, and don't have time to sift through the mess on Full Disclosure).

Anyway, we all know about it now, which is I suppose what matters most.

--
http://zapee.com/ - funky hosting for funky people

--
gentoo-security@gentoo.org mailing list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Johan Ekenberg wrote:
| I'm a fairly new gentoo-user, and I subscribed to this list thinking:
| "Great, I'll be notified if something really serious, like a kernel root
| exploit, happens!". I understand now that this is not the case, but
that many
| like me thought it was, or are wishing it were.
|
| "security-newly-discovered-start-to-panic@gentoo" like Cameron
describes it is
| exactly what I was looking for. If technically possible, please create it!
|
| Thanks,
| /Johan

Hi!

I subscribed not only for that, but to see those bugs discussed, there
possible implications, workarounds, fixes or even alternatives to the
software with that critical security flaw. To add to that, we can also
discuss generic security issues. I don't thing bugzilla is the way to go
for that kind of interaction.

On the other hand, I wasn't expecting to have someone assigned to post
those messages. I was expecting to read emails from any user interested
in warning other users or discussing that exploit.



- --
Rui Covelo
http://ruicovelo.2ya.com









-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB4xWSfLPhlaxNQk0RApDnAJ4sW9lGMDJ7YD6Bjuoe+yoxQ6p3ZwCfQZW/
woX3ATty7dLd6aiHj02D29M=
=wDBh
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list

On Mon, 10 Jan 2005 12:13:02 +1100, Cameron Blackwood
<korg@darkqueen.org> wrote:
>
> the logical solution seems to be:
> * set up a security-newly-discovered-start-to-panic@gentoo
>

Call it something like gentoo-security-bugzilla@gentoo.org, and make
it obvious that it's an unfiltered stream of the new bugzilla entries.
It would let this list be what the policy appears to be, which is an
unmoderated security discussion list, even if it's rarely used for
that ;)

Mike

--
gentoo-security@gentoo.org mailing list

On Sat, 8 Jan 2005 13:53:13 -0500
bryank@cs.uri.edu wrote:

> To get it to compile, change modify_ldt_ldt_s to user_desc. For me it
> just segfaults then, but I don't know if that's because I have
> CONFIG_DEBUG_STACKOVERFLOW=y set.

For me (vanilla 2.6.10) it "brokenpiped" once and since then it only segfaults.

--
/~\ The ASCII Andrej "Ticho" Kacian <ticho at gentoo dot org>
\ / Ribbon Campaign GnuPG public key ID: 7CD93FE2 (pgp.mit.edu)
X Against HTML Key fingerprint:
/ \ Email! E87D 9DEF 2A23 6FFB 7AD9 542F 4253 3A46 7CD9 3FE2

On Sun, 9 Jan 2005, Peter Karlsson wrote:

> On Sun, 9 Jan 2005, Thierry Carrez wrote:
>
>> Just before I joined the security team there was someone that said he
>> would do that. He called them "GLVP" (for Gentoo Linux Pending
>> Vulnerabilities). He said he would post to gentoo-security each
>> Saturday. Guess what ? He posted one and never posted again. Proof
>> for the paranoid types out there :
>>
>> http://marc.theaimsgroup.com/?l=gentoo-security&w=2&r=1&s=GLVP&q=b
>>
>> Guess history keeps repeating itself. It's not that easy to regularly
>> commit free time to do work. It's easy to complain, it's not that
>> easy to be part of the solution.
>
> Ok, sorry for the "noob" remark/question here but can't this be
> automated somehow? Like if someone files a security-related bug on
> bugs.gentoo.org this could auto-dispatch an email to a relevant
> list... This way one would not be dependent upon "manual labour" (for
> this particular task anyway). Automate what can be automated I'd
> say[0]. :-)

Certainly. Here's how you do it:

Sign up an email account to Gentoo's bugzilla. Select prefs, select
email settings. Add security@gentoo.org to the watch list. Now, down
below, uncheck every box in Field/recipient options EXCEPT Assignee
options 'I'm added to or removed from this capacity', 'The bug is
resolved or verified', and 'The bug is in the unconfirmed state'.

If you want to turn this into a list which other people can join, have
the email address you sign up be such a mailing list.

If people are interested, I may be doing this sometime during the next
few weeks for myself, and I should be able to set up a list. That being
said, I do occasionally have connectivity issues, and I do anticipate
being down for three weeks in June. As such, there's probably better
candidates to achieve this.

> Best regards
>
> Peter K
>
> [0] If only there was a way to automate bug-hunting... ;-)

Actually, for a certain class of bugs, there has been automated
bug-hunting. This class is 'garbage in handling'. IIRC, there was a
group that did a certain amount of this a few years ago.

Of course, bug-fixing would be potentially even better. :)

Ed

--
gentoo-security@gentoo.org mailing list

On Sun, 16 Jan 2005, Ed Grimm wrote:

> Certainly. Here's how you do it:
>
> Sign up an email account to Gentoo's bugzilla. Select prefs, select
> email settings. Add security@gentoo.org to the watch list. Now, down
> below, uncheck every box in Field/recipient options EXCEPT Assignee
> options 'I'm added to or removed from this capacity', 'The bug is
> resolved or verified', and 'The bug is in the unconfirmed state'.
>
> If you want to turn this into a list which other people can join, have
> the email address you sign up be such a mailing list.
>
> If people are interested, I may be doing this sometime during the next
> few weeks for myself, and I should be able to set up a list. That being
> said, I do occasionally have connectivity issues, and I do anticipate
> being down for three weeks in June. As such, there's probably better
> candidates to achieve this.

I'm also intermittently connected and I don't know where I could set up an
email-list (for that you would need access to a server?). Anyway, thanks
for the info/tutorial.

> Actually, for a certain class of bugs, there has been automated
> bug-hunting. This class is 'garbage in handling'. IIRC, there was a
> group that did a certain amount of this a few years ago.

Well, I have been toying with the idea for a while. Would it be impossible
to create a tool that would go through some source file and look for
security-bugs & trojans, much like a anti-virus program does with
binaries? I realise that it would probably be quite complex to cover all
possible "scenarios" but surely there has to be some common "signature"
(sorry if this doesn't make sense, english is not my native lingo) and of
course it cannot be one tool but has to be several tools for each type of
code (i.e. C - linux-kernel, C++ - KDE, perl - ?, etc.) or at least a tool
with different types of backends like gcc.

> Of course, bug-fixing would be potentially even better. :)

Oh yeah...

Best regards

Peter K

--
We Can Put an End to Word Attachments:
http://www.fsf.org/philosophy/no-word-attachments.html

--
gentoo-security@gentoo.org mailing list

On Mon, Jan 17, 2005 at 02:58:23PM +0100, Peter Karlsson wrote:
> Well, I have been toying with the idea for a while. Would it be impossible
> to create a tool that would go through some source file and look for
> security-bugs & trojans, much like a anti-virus program does with
> binaries?

Yes. There are a number of automated vulnerability scanners; notable
open source ones include RATS, Flawfinder, and PSCAN, as well as others.
You can even run these upon emerging a package; solar demonstrated it
here: http://tinyurl.com/5jezq.

However, depending on who you ask, these tools range in effectiveness
from moderately useful to useless. In my limited experience with them,
they are good at finding very basic types of vulnerabilities--they
highlight instances of fixed-length buffers, improper use of
printf/sprintf/fprintf, and similar (untrusted input, for instance). But
they are far from perfect. An automated source code scanner is no
replacement for a safe language.

--
Dan Margolis
Gentoo Security/Audit

On Mon, 17 Jan 2005, Dan Margolis wrote:

> Yes. There are a number of automated vulnerability scanners; notable
> open source ones include RATS, Flawfinder, and PSCAN, as well as others.
> You can even run these upon emerging a package; solar demonstrated it
> here: http://tinyurl.com/5jezq.
>
> However, depending on who you ask, these tools range in effectiveness
> from moderately useful to useless. In my limited experience with them,
> they are good at finding very basic types of vulnerabilities--they
> highlight instances of fixed-length buffers, improper use of
> printf/sprintf/fprintf, and similar (untrusted input, for instance). But
> they are far from perfect. An automated source code scanner is no
> replacement for a safe language.

I guess they have to start somewhere... And they probably cannot
substitute good programming practices (for a foreseeable future). But I
would think that they would have to be tailormade for the application that
it scans, i.e. the linux kernel would need special treatment, X window
have other needs, etc.? Thanks for the info though, I've googled about
this before but probably didn't use the correct wording...

Best regards

Peter K

--
We Can Put an End to Word Attachments:
http://www.fsf.org/philosophy/no-word-attachments.html

--
gentoo-security@gentoo.org mailing list

A small update about kernel security.

As you may know, we no longer release GLSAs about kernel vulnerabilities
and are in the process of changing kernel vulnerabilities information to
a more live information system.

In the meantime, we'll post information about serious fixed
vulnerabilities on this list, so that you are informed of the safe
kernels you can use.

As of today only 4 Portage-provided kernel sources are free of serious
kernel vulnerabilities (serious being remote root, remote DoS or local
root) :

- gentoo-dev-sources [2.6]
- grsec-sources [2.4]
- hardened-dev-sources [2.6]
- hardened-sources [2.4]

Use of the latest version of one of these sources is highly recommended
in any security-sensitive setting.

Several others should be fixed soon, as they are currently only
vulnerable to one serious vulnerability (the i386 SMP page fault handler
privilege escalation, bug 77666) :

- gentoo-sources
- ac-sources
- ck-sources
- sparc-sources
- uclinux-sources
- usermode-sources
- win4lin-sources
- wolk-sources
- xbox-sources

--
Koon

Thierry Carrez wrote:
> A small update about kernel security.

Thanks ...

> As you may know, we no longer release GLSAs about kernel vulnerabilities
> and are in the process of changing kernel vulnerabilities information to
> a more live information system.
>
> In the meantime, we'll post information about serious fixed
> vulnerabilities on this list, so that you are informed of the safe
> kernels you can use.
>
> As of today only 4 Portage-provided kernel sources are free of serious
> kernel vulnerabilities (serious being remote root, remote DoS or local
> root) :
>
> - gentoo-dev-sources [2.6]
> - grsec-sources [2.4]
> - hardened-dev-sources [2.6]
> - hardened-sources [2.4]
>
> Use of the latest version of one of these sources is highly recommended
> in any security-sensitive setting.
>
> Several others should be fixed soon, as they are currently only
> vulnerable to one serious vulnerability (the i386 SMP page fault handler
> privilege escalation, bug 77666) :
>
> - gentoo-sources
> - ac-sources

Unless I'm very much mistaken, Alan Cox addressed the aformentioned bug
in 2.6.10-ac9. As the current ebuild in portage is ac-sources-2.6.10-r10
it shouldn't be vulnerable. Btw, a 2.6.10-ac11 is available but it's not
security critical. The changes are:

2.6.10-ac11
o First phase of HPT driver cleanups (Alan Cox)
| This is just clean ups: the actual changes to make HPT372N
| work well will happen elsewhere first for obvious reasons
o ACARD scsi driver updates
o netpoll fixes (Matt Mackall)
* Fix a bug that could cause corruption of large (Petr Vandrovec)
x86-64 apps when run mixed with x86-32 apps
* Fix oops with md over dm (Jens Axboe)
* Fix a tlb race that could machine check x86-64 (Andi Kleen)
* Fix the "can only burn one DVD" bug (Michal Schmidt)
* Fix a whole pile of pegasus driver bugs (David Brownell)
* Don't collapse multi-packet skb's (David Miller)
o Samsung SN-124 should not be on DMA blacklist (Alan Cox)
| Reported/tested by Amit Bhutani * Fix an ipv6 "badness" (Herbert Xu)
| (Split out for -ac by Pekka Pietikanien)
* Fix a couple of small merge errors I made in (Clear Zhang)
the ULi ethernet support patch

> - ck-sources

The current ebuild is ck-sources-2.6.10-r5 and, again, the aformentioned
bug should be addressed as Con now includes the -as2 patchset as a base
(http://www.acm.rpi.edu/~dilinger/patches/2.6.10/as2/) and this happens
to include the fix.

> - sparc-sources
> - uclinux-sources
> - usermode-sources
> - win4lin-sources
> - wolk-sources

The ebuild is pretty outdated - a wolk-4.17 is available. However, the
fix will only be in wolk-4.18 which is not yet "officially" available
(apparently because the author is still in the process of incorporating
grsec-2.1.1). However, an interim release is apparently available here,
presumably with the old grsec implementation
(md5:4c667edcc8245dc92d5bb87a63a9aaa1):

http://www.kernel.org/pub/linux/kernel/people/mcp/tmp/

Perhaps it could be implemented as is and the older ebuilds purged, or
the fix could be established for 4.17 by way of a diff in the case that
the "vanilla" 2.4 fix doesn't play ball with the patchset? Just a thought.

> - xbox-sources

Cheers,

--Kerin Francis Millar

--
gentoo-security@gentoo.org mailing list

On Saturday 08 January 2005 19:02, Daniel Brandt wrote:
> So clearly a lot of people here doesn't want to know about possible
> security issues in a timely manner. Also, unless you are really good
> at communicating your exact intentions in so perfect english that no
> possible ambiguities may arise, please refrain from posting if you
> don't want to be called an ass.

Why don't you try out bugtraq? Allmost all the bugs get there and they do
that very fast. Of course it's a high volume list, but it'll keep you on
top of things.

Paul

--
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net

On Saturday 08 January 2005 19:38, Lance Albertson wrote:
> Sven Beukenex wrote:
> > You send the _security_ advisories to _announce_ because more people
> > are subscribed to it?
> > You only announce problems _after_ a fix is made??? Did it occur to
> > any of you that people might want to disable vulnerable sevices or
> > even *gasp* help produce fixes for the problems?
> > We have to watch bugs.gentoo to get a total picture?
>
> Perhaps there should be another list or method for people like you to
> know about things better. I'm not on the security team, so its not my
> call. I wasn't around when they changed sending advisories from this
> list to the other one, so I don't know the exact reasoning. I do see
> your point, and it is valid, so perhaps we should come up with a
> solution that works instead of flaming or yelling. Attitudes like that
> just make us not want to help even more.

I was around when the policy changed, although I am not and have never
been member of the security team. The main reason to post security
announcements on announce is that the announce list is low traffic as it
is a readonly list. At that point the security list was downgraded to a
list for discussion about security on gentoo.

Paul

--
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net