On Tue, Dec 10, 2013 at 06:45:54PM -0800, Kees Cook wrote: > On Tue, Dec 10, 2013 at 6:00 PM, Dave Chinner <david@xxxxxxxxxxxxx> wrote: > > On Tue, Dec 10, 2013 at 08:10:51PM -0500, Josh Boyer wrote: > >> On Tue, Dec 10, 2013 at 8:03 PM, Dave Chinner <david@xxxxxxxxxxxxx> wrote: > >> > Security processes are not something that should be hidden away in > >> > it's own private corner - if there's a problem upstream needs to > >> > take action on, then direct contact with upstream is necessary. We > >> > need to know about security issues - even ones that are classified > >> > post-commit as security issues - so we are operating with full > >> > knowledge of the issues in our code and the impact of our fixes.... > >> > >> Agreed. I'm going to interpret your comments at being directed to the > >> general audience because otherwise you're just shooting the messenger > >> :). > > > > Right, they are not aimed at you - they are aimed at those on the > > security side of the fence. I'm tired of learning about CVEs in XFS > > code through chinese whispers and/or luck. > > Mostly I try to shield anyone not interested in CVEs from the boring > process, and try to focus on just getting things marked as needing to > go into stable. I don't think anyone needs to read the oss-security > list if they don't want to. Which is how is should be. ;) All I want is some kind of notification when a CVE raised for an XFS issue. It may be telling us something we already known, but if: a) it has not yet been pushed upstream; or b) it was not marked for stable kernels at commit time; or c) don't have a fix for it yet then it's an indication that we need to pay a little more attention to this class of problem when we review similar fixes. > In this case, the fix Dan sent was part of a larger collection of > security issues reported by Nico. I think the communication error here > was Dan accidentally forgetting to add the Cc: stable tag. But beyond > that, it was sent to the xfs list and Cc: to security, so I'm not sure > it's fair to say it was hidden away. :) Right - this falls into the above category a) because of that. There didn't appear to be any urgency because of the level of exposure of the problem (i.e. need CAP_SYS_ADMIN to trip over it) and the fact it's been like this for the past 10 years.... > Besides the missing Cc: stable tag, what should future patch senders > do to call attention to an issue being a security problem at the time > it is being reported? Well, it may not be known at the time it's considered a security issue, so I think that the best thing to do is make sure that when a CVE is actually raise a note is sent to the relevant list just to indicate 'CVE 1024-3267 has been raised for commit abcd1234 ("xfs: knabgraddle the frobnozzle")'. At least that way everyone - including XFS users - that there is an issue that they might want to look out for and plan to upgrade their stable kernels in the not-to-distant future... Cheers, Dave. -- Dave Chinner david@xxxxxxxxxxxxx -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html