RE: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


> -----Original Message-----
> From: Roland Dreier [mailto:roland@xxxxxxxxxxxxxxx]
> Sent: Thursday, April 02, 2015 7:33 PM
> To: Shachar Raindel
> Cc: oss-security@xxxxxxxxxxxxxxxxxx; <linux-rdma@xxxxxxxxxxxxxxx>
> (linux-rdma@xxxxxxxxxxxxxxx); stable@xxxxxxxxxxxxxxx
> Subject: Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected
> physical memory access
> 
> On Thu, Apr 2, 2015 at 12:52 AM, Shachar Raindel <raindel@xxxxxxxxxxxx>
> wrote:
> > This is a common practice in the security industry, called
> > "responsible disclosure."
> >
> > Following the kernel  security bugs policy [1], we reported it to
> > the kernel security contacts few days before making the issue public.
> > Few days after issue became public, we published a clear report to all
> > of the relevant mailing lists.
> 
> Isn't the point of responsible disclosure to delay disclosure until a
> fix is in place?  What's the point of sending a notification to the
> kernel security team if you're going to disclose publicly before the
> upstream kernel is fixed?
> 

We delayed the disclosure until most major Linux vendors released a fix for
the issue, give or take in synchronization.

The Linux security contact list only guarantee secrecy for 7 days. We
therefore contacted them only close to the date at which fixes were going to
be released, to follow their expectations for period of time between contact
and public disclosure.

Thanks,
--Shachar
��.n��������+%������w��{.n�����������ܨ}���Ơz�j:+v�����w����ޙ��&�)ߡ�a����z�ޗ���ݢj��w�f
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]