CVE-2023-7008 Christmas drama notes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello systemd users and developers,

I have experienced something in issue #25676 [1], which has been closed and I am not allowed to comment there anymore. But the experience I had there were so terrible, I feel a need to comment a little bit.

I were accused I did something on purpose and were unwilling to cooperate. I don't think that is true.

Yes, I have sent a request to our security team to review RH bugzilla bug #2222261 [2], because I felt systemd team fail to own the problem reported to them appropriately. That were on day 2003-07-12, 15:38. No, it were NOT at 7th of December.

This was the text I have sent:

Hi Security team,

can you please evaluate bug https://bugzilla.redhat.com/show_bug.cgi?id=2222261, whether it is deserves own CVE? It contains DNSSEC support, but it can be trivially made into serving unsigned content even on signed zones data. It does not crash, but allows DNS spoofing.

Unforunately that were reported publicly on upstream:

https://github.com/systemd/systemd/issues/25676

Is it just a bug or vulnerability?

That were somehow end of my role. Just a day after that Lukáš Nykrýn commented new bug [3], acknowledging they knew about the issue. I have told them I consider it important. It were received and waited for 6 months without any visible progress and 6 days ago, the ticket for it has changed and CVE-2023-7008 were assigned to it. Yes, I admit the timing were far from ideal, because it happened few days before Christmas Eve, where I think most of involved people has holidays. Not anything I had any influence on. Including me, I were at that time on vacation for two weeks already. It were done by person living in India, possibly not aware how bad the time for the change is now.

Why I have not been helpful in adding note it is happens only with DNSSEC=yes? Because with DNSSEC=no it is not a single bit safer, as it might appear. In unfixed versions on-path attacker can insert any response to your DNS cache, regardless DNSSEC setting you have. Of course, with DNSSEC=no or DNSSEC=allow-downgrade that is common and expected and not a vulnerability. But is it better or more secure? Of course not, not a single bit! With recently fixed versions, only DNSSEC=yes prevents bogus responses.

Yet, I were accused to have abused something. I did not. But I would like to thank Luca for removing me from systemd organization. Yes, none of my proposed commits have been never been merged. I have received limited rights to be able to mark selected issues with tags like downstream/rhel or downstream/fedora, so those issues can be prioritized. In order to help systemd team prioritize important fixed to systemd-resolved for RHEL, given I possess higher DNS expertise than they do (my opinion without a proof). I am glad I were removed.

It is very surprising how poisonous atmosphere I have found in such very important project in open source operating systems, as is the *systemd*. I admit I have been warned by my former manager to not expect any positive negotiations from systemd people, because more people failed before me, but I have tried. But I would not recommend anyone to even try to collaborate on systemd, if they may disagree with anyone. I have never met more toxic and unhelpful behavior from upstream maintainers than on systemd. Not in my 7 years I work on different RHEL components. I now understand why flame wars about systemd vs other process managers were always that emotional. I don't think there are important technical deficiencies, but the communication style I have met here is plain terrible.

For my whole 7 years I have been working in Red Hat, I have not met more frustrating upstream than at systemd. I had quite friendly discussion with our people working on systemd at Brno or from Poland. But for reason unknown to me, I struggled quite much with other people in the project, most often Lennart himself. Especially on issues discussions.

It may look I hate everything systemd, that is far from correct. I think systemd service manager is great tool, as is for example systemd-nspawn. But systemd-resolved is full of unnecessary bugs and strange design choices nobody is willing to fix. If they are willing, they get fixed so fast.

I don't want to be connected with systemd project in any way anymore. I would be ashamed to be connected with it. I would like to thank Evgeny Vereshchagin for standing on my side, I value it very much. Link to Code of Conduct [4] made me laugh. It seems it were just copied from some random other project, where they truly meant what is written in it.

I will still report issues in systemd if I found them. I consider it my unpleasant and worthless duty, because it seems they are ignored anyway. If they are fixed, that is usually done in a way I consider wrong. systemd-resolved is included as a default installed DNS cache in Fedora, that is why I am willing to do offer some help. Bad mistake in my opinion, but even that deserves to have issues to be known, reported (and ignored). I will try to minimize my reports to unemotional facts as much as I will able to.

I think I deserve an apology from Luca, but I doubt I will receive some.

Thank you for reading it so far,

Happy new year everyone and less drama in it!

Best Regards,
Petr Menšík

1. https://github.com/systemd/systemd/issues/25676
2. https://bugzilla.redhat.com/show_bug.cgi?id=2222261
3. https://bugzilla.redhat.com/show_bug.cgi?id=2222672#c3
4. https://github.com/systemd/systemd/blob/main/docs/CODE_OF_CONDUCT.md

-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

Attachment: OpenPGP_0x4931CA5B6C9FC5CB.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux