Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Kurt Seifried <kseifried-H+wXaHxf7aLQT0dZR+AlfA <at> public.gmane.org>
Subject: Re: CVE request - Linux kernel: VFAT slab-based buffer overflow
Newsgroups: gmane.comp.security.oss.general
Date: Thursday 28th February 2013 01:46:51 UTC (over 4 years ago)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/27/2013 04:24 PM, Jason A. Donenfeld wrote:
> On Thu, Feb 28, 2013 at 12:07 AM, Greg KH
 wrote:
>> Really?  Ok then, please go ahead and try doing this yourself if
>> you feel it is so "obvious" to do.
> 
> I did yesterday, actually. I saw some commit that said "use after 
> free!", saw that it was triggerable by an unpriv'd user, and sent
> it into the list. Kurt took a look at it, agreed with the
> assessment, and assigned a CVE. The commit itself said "use after
> free" -- I didn't even have to do any heavy lifting or
> hair-splitting investigation.

No I didn't. This is why I require good quality requests, anything
else is a waste of my time. If it doesn't meet an easy "definitely a
security bug" I push it back to people and keep poking them with
annoying questions, in some cases this takes weeks or months to be
resolved (some are quite subtle, like that IPv6 Kernel stuff).

I assigned 1600-2000 CVEs last year, it will be more this year. At one
hour per CVE that would be a full years work right there. Even at 1-5
minutes per CVE it's still a huge time sink. The Kernel people are
working with roughly an order or two magnitude more bug reports to
assess (because even trivial looking things can turn out to have nasty
consequences or even represent entirely new classes of flaws, just
look at the recent Ruby stuff or XML stuff).

>> Nope, we are dumb, we do uninteresting, boring work, dealing with
>> broken hardware and demanding users every day.  If we were
>> smarter, we wouldn't be doing this type of thing.
> 
> Come on...

This also goes for security people. If we had any sense we'd go live
in the woods in a cabin and drink moonshine and go hunting. I'm still
assigning CVE's for /tmp file vulns. That's just inexcusably stupid.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRLrcLAAoJEBYNRVNeJnmTzlwP/3RD6L9k60EmE43kt/NMQK8N
sbG3eKCuDug7Z81FS5qMsu6tNSFSvSPF1zkt1XtYFoaPPAiSCJ5iJWtsZHiBpMcQ
UG4fbtkZIwbmaijSB455hGRryKC8XhnTy9kjOj+VLiHenjOYYDLGEjJm+stsN6t9
K2uacEKWugzHVPXSoexjRyIS7lai8f04FifMHav/N9ZG8tlbsNA6zr2mx9QDgAfO
B+Hmy0mjFXcY9zzyUPlLUOfIQzAxv8DzYF7tUY1Nybttno+ul85OQNSsShJHH10E
M34/tLIaMorku/oB00H9hveEi1zgOcVotVIk6tJ/qCnBffOHZ0MWEFYte3ou98D2
yjjjd6nDcu2LAK7cTlbV306oA9F69cWQJ8wWd019Fvmln51z7OCX3fOmjKzz3F4z
BmVeBtd0XK65BpHXwU/EewWklTcoATzkr0dZdBupB50PEejF4cDOTgN+g/z4FWjj
GKeu06LwlSZcyeQ55S8DLwEK1K8ZvbZhRCwFHISjX7W7G1yWarUZ2jZV333Spv4O
81s3t5haDASbLmNNclZayxhs0wTqGEFRDrFCu4r/hKUvcdTuvFgcBDoMJP6jZC+A
8FnCbVnE4kt1buIhbXWj/YwhpbguhCKebwCtAT135jONn8gs085VhUaGaOoc0vnS
PN5pIr8yoEf2QuGt+3UI
=H3sd
-----END PGP SIGNATURE-----
 
CD: 3ms