Saturday, March 17, 2007

Fun & Games on openbsd-misc re: ICMPv6 Vuln

After getting burned out blogging on vulnerability disclosure I didn't think I'd bring the topic up here, but I couldn't resist. As of this morning, there have been about 75 emails "discussing" to the ICMPv6 mbuf vuln discovered by Core Security.

Although stuff like this is rather amusing.
You know, Theo, it makes me fucking sick to see you treat the community of
people who support your project and pay your wage like this. It makes me
even sicker to see the crowds of shrill, stupid fanboys on this list who are
so pathetically eager to agree with you that that they support even your
most unreasonable, childish and frankly stupid statements. You are a goddam
hypocrite - either you do OpenBSD purely for yourself and the other
developers (in which case I will stop financially supporting the project,
and everyone else should too) or you recognise that what really keeps
OpenBSD going is the group of people that advocate OpenBSD, use it in the
real world, and buy your goddamn CDs and t-shirts to keep you going..

My only comment to that is the OpenBSD community need more Ubuntu spirit!

Theo's recap/clarifications on interactions with Core is definitely worth reading:

Noone in OpenBSD is pissed off about this. We posted the bug fix as
soon as we became aware of the problem. The timeline goes like this:

1) We were told there was a mbuf crash, which could remotely CRASH
the machine. There was no proof that more could be done, not even
a whiff.

2) We commited the fix, about 24 hours later. It took a few days to
get the errata up because the people who do that were at a conference.
It was labelled as a RELIABILITY FIX because everyone felt it was just
a CRASH. I then entered into a long conversation with Core explaining
why we label crash fixes (even remote) as RELIABILITY FIXES.

3) Core felt maybe something more could be done and continued working,
and ONE WEEK LATER later, finally managed to show us brand new code
which showed that intrusion was possible. Before that moment, it
was still just confirmed to be a CRASH.

4) A few hours after we become aware that it was more than a CRASH, we
changed the advisory to say it was a real security risk. We first had
to get the patch into -stable,

No comments: