Linux's unofficial security-through-coverup policy

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052635 漏洞类型
发布时间 2008-07-16 更新时间 2008-07-16
漏洞平台 N/A CVSS评分 N/A
Hi all,

I doubt many of you are following the "discussions" (if they can be 
called that) that have been going on on LWN for the past couple weeks 
regarding security fixes being intentionally covered up by the Linux 
kernel developers and -stable maintainers.  Here are some references:

The Linux kernel has a formal policy in Documentation/SecurityBugs which 
states under Section 2 Disclosure:
"We prefer to fully disclose the bug as soon as possible."

However, their policy in reality is quite different, as you can see for 
yourself in the "discussion" going on now on LKML:

Some choice quotes from Linus that reflect how sad the current state is:
(on commenting about what he would allow to be included in a commit 
"I literally draw the line at anything that is simply greppable for. If 
it's not a very public security issue already, I don't want a simple 
"git log + grep" to help find it."
(when talking about the security backports Linux vendors provide for 
"And they mostly do a crap job at it, only focusing on a small 
percentage (the ones that were considered to be "big issues")"

They seem to have the impression that people who find an exploit kernel 
vulnerabilities rely on the commit messages fixing the vulnerability 
including some mention of security.  As it should be clear to anyone 
actually involved in the security community, or anyone who has ever 
written an exploit (particularly for the myriad silently fixed 
vulnerabilities in Linux), this is far from reality.  The people who 
*do* rely on these messages and announcements however are the smaller 
distributions and individual users.  Yet Linus et al believe they're 
helping you by pulling the wool over your eyes regarding the exploitable 
vulnerabilities in their OS.

To illustrate the point, in the kernel, the following fix was 
included with the commit message of:
Roland McGrath (1):
      x86_64 ptrace: fix sys32_ptrace task_struct leak

The kernel was released with no mention of security vulnerabilities in 
the announcement, only "assorted bugfixes".

Put simply, it only took about an hour or so to develop a PoC for this 
exploitable vulnerability which affects 64bit x86_64 kernels since 
January.  So since the time of the fix itself (or even before that if 
someone spotted it before the kernel developers did themselves) users 
have been at risk.  Yet in the imaginary world they live in, these 
kernel developers think they're protecting you from that risk by not 
telling you what you're vulnerable to.

Please let them know what you think of their policy of non-disclosure 
and coverups.  I hope someone also educates them on their ridiculous 
notion of "untrusted local users" like Greg uses in his announcement of 
the kernel:

If you remain complacent about the state of affairs, you're only 
enabling them to continue their current misguided foolishness.