Security release criterion proposal

Michał Piotrowski mkkp4x4 at gmail.com
Wed May 18 18:17:57 UTC 2011 

Hi,

2011/5/18 Adam Williamson <awilliam at redhat.com>:
> On Wed, 2011-05-18 at 19:14 +0200, J B wrote:
>> Hi,
>>
>> > I don't know if anyone
>> > would want to go as far as making DoS vulns release blocking, but speak
>> > up if you would! (Of course there is again the local/remote distinction
>> > to consider there: 'all DoS vulns' would be a much tighter standard than
>> > 'remote DoS vulns').
>>
>> I think the "use of a live image shipped with the release" scenario is
>> worth rethinking due to the following:
>>
>>    you talk about a *local* DoS - that's technically true.
>> But you know it can be triggered remotely e.g. if you are exposed to
>> Internet (nowadays almost everybody is), and the attacker knows the nature
>> of vulnerability, and what OS area can be hit to do the maximum damage
>> (the price can be very attractive - e.g. the issue raised today by me regarding
>> /run/user and /dev/shm and systemd, which is perhaps the most important
>> system program after kernel itself).
>> So, even a local DoS could qualify for a security blocker.
>
> Um, to my understanding, your reasoning is flawed. The definition of a
> 'local' vulnerability is one which requires console access to exploit.
> What you're talking about would not be possible with a 'local exploit',
> as the term is usually understood; these can't be exploited by a remote
> attacker even if you're 'exposed to Internet'. As far as I'm aware,
> the /dev/shm DoS cannot be exploited by a remote attacker.

This is exploitable if you have a broken web app. With attached sample script
(url: test2.php?file=/dev/shm/test.dat) I can create a file in /dev/shm/.

(my devel system is not very secure :))

> --
> Adam Williamson
> Fedora QA Community Monkey
> IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
> http://www.happyassassin.net
>
> --
> test mailing list
> test at lists.fedoraproject.org
> To unsubscribe:
> https://admin.fedoraproject.org/mailman/listinfo/test
>



-- 
Best regards,
Michal

http://eventhorizon.pl/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test2.php
Type: application/x-httpd-php
Size: 180 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/test/attachments/20110518/02467a3f/attachment.bin

More information about the test mailing list