Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory

[Michael Stone <mstone@debian.org>]

On Tue, Dec 02, 2003 at 11:23:53PM +0100, Marcel Weber wrote:
> I think, this incident is a nice lessons learned for everyone. A found 
> coding bug can always have security implications as there will always be 
> someone ingenious enough to create an exploit of it. We all know some 
> bigger software company telling its costumers, that some coding bugs are 
> not that critical until the next worm / email virus appears...

The issue isn't whether the bug is fixed (it already was) the issue is
whther its publicized as a security fix with a big notice that everybody
must upgrade now. Have you looked at the diffs between kernel revisions?
That's a whole lotta fixed bugs. There's a human factor in the process
of deciding which bugs get the full treatment and there always will be.
Or do you have some better solution? Treating every bug fix as critical
and making upgrade is *not* a solution because 1) people would get tired
of it and not bother, not knowing whether it's a real important fix or
not 2) the changes might introduce stability problems, which can
themselves render the system unusable and 3) some bug fixes might
introduce new security problems, leading to no net gain.

Mike Stone