[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CoreOS membership to linux-distros
From:       Sven Dowideit <sven () rancher ! com>
Date:       2017-06-28 13:22:42
Message-ID: CY4PR11MB15923C857FBA8F9B884AF2A2DADD0 () CY4PR11MB1592 ! namprd11 ! prod ! outlook ! com
[Download RAW message or body]


TBH, the biggest worry I have is the fact that until there are actual exploits available, we're \
just hoping that the tests we write are reasonable - its a game of chinese whispers, where we \
think we grok the information correctly, and completely - but we we're playing with a very \
partial deck.


I did already find a few test tools - and thanks - yours also suggests that with the RancherOS \
release I made a few days ago, that we've done what we can (ok, so I actually delayed and \
didn't release the patched version I gleaned was the set - I was able to use 4.9.34 - as we're \
trying hard to be pure upstream whenever possible)


IDK - I wouldn't call it "on a golden platter" - I'm trying to suggest that the bigger players \
have a tonne more knowledge and experience than we newer and smaller players do - but perhaps \
we can work out how the smaller distros can also get some early information and guidance - and \
perhaps that'll help mentor us up into doing more.


Sven

________________________________
From: Dominique Martinet <asmadeus@codewreck.org>
Sent: 27 June 2017 23:58:26
To: oss-security@lists.openwall.com
Subject: Re: [oss-security] CoreOS membership to linux-distros

Sven Dowideit wrote on Wed, Jun 28, 2017:
> I'm responsible for RancherOS, and think that both I, and my users
> would prefer that I had access to the embargoed information earlier,
> so preparing a response would have been less of a rush.

I can relate to the rush feeling, even with few users/"private" distro
here, having a custom kernel makes this kind of fixes annoying...
But given the delayed exploit release I'd say it does not really matter
if you take a few days for this, especially in this case with the low
success rate on 64bit linux. As soon as reasonably possible does not
necessarily mean rush.

As a rhel/centos spin-off though we would have liked the bug brought up
here ( https://bugzilla.redhat.com/show_bug.cgi?id=1463241 ) to have its
fix published faster though, it's apparently been ready for a week but
not been published... I don't mind bugs, but if it's fixed it's annoying
to keep it behind closed doors.


> One of the things that would have made my last week less worrying, is
> to have some access to exploit code - so as to verify the changes
> actually had a useful effect.

You don't need an actual exploit to test this. You're not the first
person who have told me this so I actually took some time this morning
to whip up a "tester" -- it's probably far from perfect but will run
successfully on older debian/rhel and crash with a patched kernel as
expected, and is as inoffensive as it can get.

I'm sure there are other better testers online, I didn't try looking as
I don't get much chance to play with this kind of stuff :)


Qualys gave a lot of details in their report (kudos to well written
advisories like that!), I agree having everything on a golden plate is
better but it really isn't much work left for smaller distros if you
trust the big ones or even just upstream, once bugs got steamed out.

--
Asmadeus | Dominique Martinet



[prev in list] [next in list] [prev in thread] [next in thread]