Linux vulnerabilities being covered up (again)

Discussion in 'all things UNIX' started by Hungry Man, Mar 4, 2013.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  2. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    I don't agree with obscuring information.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Well that's good, unfortunately that's something upstream does quite often.
     
  4. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Is there some benefit?
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  6. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,425
    The more eyes the better. And this is what gets my goat, Linux Elitists who snub their nose at stuff like this. The point of Linux is that it's open, if you shut yourself of from acknowledging bugs and exploits then it's bad for everyone.
     
  7. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    How do you think this was "covered up" ?

    Cheers, Nick
     
  8. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    How does "upstream" (I assume you mean the kernel devs) obscure anything ?

    Kernel already notifies Linux-Distro private mailling list and leaves the responsibility to disclose to them.

    Cheers, Nick
     
    Last edited: Mar 4, 2013
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes, I mean the kernel devs.

    How do they obscure anything? Oftentimes it's referring to a buffer overflow as a "memory corruption leading to adjacent memory blah blah blah" ie: taking a common term, and rewriting it so that it doesn't sound like a vulnerability.

    http://seclists.org/oss-sec/2013/q1/569

    There you go.

    http://seclists.org/oss-sec/2013/q1/349

    https://lwn.net/Articles/538600/

    I can find a lot more than these. Some really funny examples like the one I referred to where they called vulnerabilities DOS's for a long time even though hackers had already directly given POCs showing exploitability.

    This has led to vulnerabilities in the kernel being reported but not fixed in distros for weeks. I can get more reading for you, which will show how this happens, and how you can spot patterns.
     
  10. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Thanks,

    BTW I'm not taking sides as Im not in any way a kernel guy, just trying to understand the situation more, very hard to work out the facts from opinion.

    Cheers, Nick
     
Loading...
Thread Status:
Not open for further replies.