I don't know about three days, but certainly under a week, which is completely normal in free software. Proprietary vendors generally want between six months and two years, but free software vendors and projects very rarely ask for more than a week or two delay before publication.
In fact, Linus famously tells people not to tell him about any security issue you want kept secret for more than a week, as he will just go ahead and fix it.
Odd, I don't know why you're picking on me, but I assume "Android Kernel" is marketing-speak for "Linux", in which I've reported found and fixes dozens of flaws over the years.
As you're so interested, here are some from the last month or two that you can take a look at.
CVE-2010-3080, A use-after-free in snd_seq_oss_open CVE-2010-2960, A to-userspace dereference in keyctl_session_to_parent. CVE-2010-2954, Kernel panic and to-userspace dereference in AF_IRDA sockets. CVE-2010-3067, Various problems with aio (things like aio_submit())
The coverity results I've seen in the past are generally very low quality with a high density of chaff. I haven't seen the report they're talking about, but would be surprised if there were any noteworthy findings with any significant security impact. The only report I've seen them publish that had any convincing vulnerabilities was in 2006, where they found a verifiable privilege escalation in XFree86 (due to a pretty horrendous typo).
I'm a little saddened that you so readily associate me with Windows security, where as I consider myself primarily a Linux security developer, but I guess I'm flattered that where I spend my time is so important to you.
I've reported dozens of critical vulnerabilities in Microsoft software over the years, and I still have multiple open cases with Microsoft security, this particular case wasn't as simple as you have assumed. I would not be so presumptuous to explain the ethics of your work to you, but evidently you believe you're qualified to lecture me in mine.
If I were to read the sensationalised lay-press coverage of your latest publication or project, would it prepare me to write a critique of your work?
I discovered this bug (check the credit section in the advisory), so can explain. The bug is in parsing a component of TTF files, which are handled by the GDI kernel subsystem in Windows. Anything that tries to load fonts can be used to exploit this vulnerability, as they will eventually reach this code, Internet Explorer just happens to be the easiest way to reach it remotely.
Other browsers _are_ affected, the difference is that there's only one level of indirection before the vulnerable code in Internet Explorer, and at least two in other browsers. This is because IE supports EOT files directly, which via TTLoadEmbeddedFont() are decoded and passed straight to GDI, where as other browsers take a TTF input, convert it into an EOT and then pass that to TTLoadEmbeddedFont, so you have to convince three different chunks of code your input is valid (the browser, t2embed, then gdi), instead of just two in IE.
If you use any browser that support @font-face on Windows (Safari, Firefox 3.5+), you should still patch and reboot.
Interesting that you consider flashblock a security tool (I use flashblock as well, but simply to suppress the onslaught of distracting ads).
If there was a vulnerability discovered in flash player, flashblock would provide little protection, to demonstrate my point, install flashblock and click here (harmless testcase). Did flashblock prevent flash player from crashing, or taking down firefox?
(to pre-empt replies, yes i do know about noscript)
I agree, all software should be named after an animal/celebrity/pokemon that can beat the mascot of competing applications in a fight, that way we can all play top trumps wihle browsing freshmeat.
Ahh, Found the answer in a court transcript, here.
In sum, SCO's campaign is designed both to slow the growth of LINUX, and to reverse its failing fortunes by convincing LINUX users that they need to pay SCO a license fee to use the lower-cost LINUX operating system. As SCO's own representatives have proclaimed, if SCO is successful at this effort, it can add "billions" of dollars in undeserved revenues to its declining bottom line. Additionally, SCO's campaign is designed to further what, upon information and belief, has been referred to as the "LINUX Lottery" -- the ability to reap personal profit by carefully timed purchases of SCO stock.
Slashdot Mirror
Hackers don't give a shit about your change control, they're not going to give you a head start because you're slow to respond to threats.
How does not telling anyone that people are actively exploiting this change that?
Odd question.
I don't know about three days, but certainly under a week, which is completely normal in free software. Proprietary vendors generally want between six months and two years, but free software vendors and projects very rarely ask for more than a week or two delay before publication.
In fact, Linus famously tells people not to tell him about any security issue you want kept secret for more than a week, as he will just go ahead and fix it.
Odd, I don't know why you're picking on me, but I assume "Android Kernel" is marketing-speak for "Linux", in which I've reported found and fixes dozens of flaws over the years.
As you're so interested, here are some from the last month or two that you can take a look at.
CVE-2010-3080, A use-after-free in snd_seq_oss_open
CVE-2010-2960, A to-userspace dereference in keyctl_session_to_parent.
CVE-2010-2954, Kernel panic and to-userspace dereference in AF_IRDA sockets.
CVE-2010-3067, Various problems with aio (things like aio_submit())
The coverity results I've seen in the past are generally very low quality with a high density of chaff. I haven't seen the report they're talking about, but would be surprised if there were any noteworthy findings with any significant security impact. The only report I've seen them publish that had any convincing vulnerabilities was in 2006, where they found a verifiable privilege escalation in XFree86 (due to a pretty horrendous typo).
I'm a little saddened that you so readily associate me with Windows security, where as I consider myself primarily a Linux security developer, but I guess I'm flattered that where I spend my time is so important to you.
(perhaps a little creepy, though).
You didn't elect me your doctor either, but I'm sure you would like me to tell you if you water supply was poisoned.
Actually, his comment was entirely accurate.
I've reported dozens of critical vulnerabilities in Microsoft software over the years, and I still have multiple open cases with Microsoft security, this particular case wasn't as simple as you have assumed. I would not be so presumptuous to explain the ethics of your work to you, but evidently you believe you're qualified to lecture me in mine.
If I were to read the sensationalised lay-press coverage of your latest publication or project, would it prepare me to write a critique of your
work?
Applications Welcome ;-)
I discovered this bug (check the credit section in the advisory), so can explain. The bug is in parsing a component of TTF files, which are handled by the GDI kernel subsystem in Windows. Anything that tries to load fonts can be used to exploit this vulnerability, as they will eventually reach this code, Internet Explorer just happens to be the easiest way to reach it remotely.
Other browsers _are_ affected, the difference is that there's only one level of indirection before the vulnerable code in Internet Explorer, and at least two in other browsers. This is because IE supports EOT files directly, which via TTLoadEmbeddedFont() are decoded and passed straight to GDI, where as other browsers take a TTF input, convert it into an EOT and then pass that to TTLoadEmbeddedFont, so you have to convince three different chunks of code your input is valid (the browser, t2embed, then gdi), instead of just two in IE.
If you use any browser that support @font-face on Windows (Safari, Firefox 3.5+), you should still patch and reboot.
Actually, it is possible to map at NULL in Windows, which is just as plagued by NULL pointer dereferences as Linux is.
Try this:
BaseAddress = (PVOID) 0x00000001; // (1 & ~PAGE_SIZE) == NULL
RegionSize = 0x1000;
NtAllocateVirtualMemory(GetCurrentProcess(), &BaseAddress, 0, &RegionSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
Interesting that you consider flashblock a security tool (I use flashblock as well, but simply to suppress the onslaught of distracting ads).
If there was a vulnerability discovered in flash player, flashblock would provide little protection, to demonstrate my point, install flashblock and click here (harmless testcase). Did flashblock prevent flash player from crashing, or taking down firefox?
(to pre-empt replies, yes i do know about noscript)
$ sudo emerge media-gfx/swftools2 0images/Get_Perpendicular.swf
# non gentoo users: http://www.quiss.org/swftools/
$ wget http://www.hitachigst.com/hdd/research/images/pr%
$ swfextract --mp3 Get_Perpendicular.swf
$ xmms output.mp3
Oh please, next you'll be telling us water and electricity doesn't mix. [english translation]
What the heck, though, is someone going to do with 78 NES decks?
Beowulf cluster.
First Upside-Down Post!
it's usually distributed as part of a collection called "bsd games", if you use Linux try here.
Some people have reported seeing engineers using Xv in the background of tv reports.
http://www.trilon.com/xv/xvtv.html
I agree, all software should be named after an animal/celebrity/pokemon that can beat the mascot of competing applications in a fight, that way we can all play top trumps wihle browsing freshmeat.
Ahh, Found the answer in a court transcript, here.
In sum, SCO's campaign is designed both to slow the growth of
LINUX, and to reverse its failing fortunes by convincing LINUX users
that they need to pay SCO a license fee to use the lower-cost LINUX
operating system. As SCO's own representatives have proclaimed, if SCO
is successful at this effort, it can add "billions" of dollars in
undeserved revenues to its declining bottom line. Additionally, SCO's
campaign is designed to further what, upon information and belief, has
been referred to as the "LINUX Lottery" -- the ability to reap personal
profit by carefully timed purchases of SCO stock.
45. All documents concerning a Linux Lottery or the phrase the "Linux Lottery'.
Thats a new one on me, anyone have any clue where this phrase comes from or what it means..why are RH interested in it?
There was a fascinating program about RFID this evening on Radio 4, available on the web here.
u siness.ra
works fine with mplayer, as well..
$ mplayer rtsp://rmv8.bbc.net.uk/radio4/news/inbusiness/inb
> Real men just concatenate their files line by line, don't they?
You've obviously never heard of TECO.
The author went on to have an interesting converstaion with Micahel Jennings, author of Eterm on Bugtraq here.
Mirror here.
2 5_xbox_mod.php?page=15
wget --page-requisites --convert-links 'http://www.sweclockers.com/html/artikel/art_0302
fvwm has had this functionality using libstroke since version 2.3.4 (2.5.5 is the latest release)
obviously not many brainf*ck coders on slashdot then :)
oh please, this comes from the same guy that bought you Hewlett Packard 48 Series Calculators advisory.
its funny, laugh.