[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory

J.H.M. Dassen (Ray) wrote:
On Tue, Dec 02, 2003 at 13:35:51 -0600, Micah Anderson wrote:

Previous kernel security holes have been treated with a lot more
"transparancy" and communication than this one was, I am disappointed that
this one wasn't.

I fail to see how this was treated with less transparency than previous
holes. The only difference I see is that with previous kernel security holes
like the ptrace one, the kernel developers recognised the security
implications of a coding bug almost immediately, whereas in this case it
took quite some time. That's unfortunate, but quite understandable. Mistakes


I think, this incident is a nice lessons learned for everyone. A found coding bug can always have security implications as there will always be someone ingenious enough to create an exploit of it. We all know some bigger software company telling its costumers, that some coding bugs are not that critical until the next worm / email virus appears...

If the behaviour of a piece of code cannot be predicted under any circumstances it represents a risk. And I would even say that in the real world we will never find anything that is totally risk free. The question is rather if we are willing to take a certain KNOWN risk or not.


PS: I wanted to thank the whole debian security team and everyone who helped putting together this very detailed and concise report about the hacked servers.

Reply to: