Re: When are security updates effective?

To: debian-security@lists.debian.org
Subject: Re: When are security updates effective?
From: paddy <paddy@panici.net>
Date: Mon, 4 Sep 2006 11:15:39 +0100
Message-id: <[🔎] 20060904101516.GA12336@cobalt0.panici.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20060904061544.GK13910@nalle>
References: <slrnef9acl.4f4.jmm@inutil.org> <20060831062919.GD13910@nalle> <20060831075526.GF4321@afrika.vzsze.de> <ed6sb3$t32$2@sea.gmane.org> <20060831222327.GA20606@khazad-dum.debian.net> <[🔎] 20060901212816.GH13910@nalle> <[🔎] 20060901225614.GG24013@mathom.us> <[🔎] 20060902045232.GI13910@nalle> <[🔎] 20060902083704.GA6861@afrika.vzsze.de> <[🔎] 20060904061544.GK13910@nalle>

On Mon, Sep 04, 2006 at 09:15:45AM +0300, Mikko Rapeli wrote:
> On Sat, Sep 02, 2006 at 10:37:04AM +0200, Rolf Kutz wrote:
> > * Quoting Mikko Rapeli (mikko.rapeli@iki.fi):
> > > I think it is relevant: should the effectiveness actions in general 
> > > be based on the host where the update was applied through lsof, package 
> > > dependencies provided and digitally signed by Debian, some other information
> > > provided and digitally signed by the Debian security team in an
> > > advisory or something else?
> 
> Or package installation scripts provided by the package maintainer.
> 
> > The problem here is that when the software has
> > been exploited already, installing the security
> > update doesn't fix the problem anymore.
> 
> Exploited to what extend? Without stack protection, address space
> randomization, selinux etc, it's very difficult to know wether a
> processes address space has been violated. And non-privileged processes
> don't have write access to binary files on the system without additional
> local root holes.
> 
> My point is: lsof may not be trustworthy on per host basis when making
> security updates effective. The time between security bug publication and
> applying the updates varies too much. If a Linux distro can do better
> than Windows and not require full reboot after every update, I'd like to
> see a confirmation of the steps required to make the update effective
> from a source I trust anyway.

So you could have some system of compartments, where if there was a breach
in a compartment you could sanitise the compartment?  To take a more 
concrete example, suppose it's an ordinary user running a web browser in
their ordinary account, and a vulnerability is found in that browser, and
running instances must be assumed exploited.  Sounds like you're saying 
that lsof, even if the binary itself can be assumed sound, relies on data
from the compartment which could be compromised and so it's output for
the use you suggest cannot be completely trusted.  Seems to me that there
are plenty of other problems getting to a compartment you can sanitise
effectively, like the possibility of an exploit to persist via
filesystem and hooks like cron or .profile, no ? but I like the idea.

Regards,
Paddy
-- 
Perl 6 will give you the big knob. -- Larry Wall

Reply to:

References:
- Re: When are security updates effective?
  - From: Mikko Rapeli <mikko.rapeli@iki.fi>
- Re: When are security updates effective?
  - From: Michael Stone <mstone@debian.org>
- Re: When are security updates effective?
  - From: Mikko Rapeli <mikko.rapeli@iki.fi>
- Re: When are security updates effective?
  - From: Rolf Kutz <kutz@netcologne.de>
- Re: When are security updates effective?
  - From: Mikko Rapeli <mikko.rapeli@iki.fi>

Prev by Date: Re: When are security updates effective?
Next by Date: Firefox on testing hijacked by http://www.megago.com/l/?
Previous by thread: Re: When are security updates effective?
Next by thread: Re: GPG errors from apt update
Index(es):
- Date
- Thread