| ▲ | shimman 7 hours ago |
| Expecting people to do the right thing is a fundamental issue here. Why would you ever expect for all of vulnerabilities to be disclosed privately? There's very little actual incentive to do this. I'm honestly unaware of what systems could be put in place to prevent this but expecting people to always do the right thing is fantasy level thinking. I mean I bet the disclosers thought they were doing the right thing, hence why it's a bad thing to rely on. edit: spelling/grammer. |
|
| ▲ | dwedge 6 hours ago | parent | next [-] |
| When the exploit is an advertisement for an exploit detection company, not doing the right thing is a bad look |
| |
| ▲ | dgellow 6 hours ago | parent [-] | | The worst thing would be to exploit or sell it for profit. Instead of that, publicizing the exploit is closer to neutral–good in my books, that did trigger a really quick reaction from the different actors to patch their kernels and systems | | |
| ▲ | ori_b 6 hours ago | parent [-] | | Imagine how much quicker the distros would have reacted if they were given a heads up a month ago. But, sure, I guess kudos to this company for not being actively criminal, and merely bumblingly incompetent and overly eager to get their marketing pitch out the door. | | |
| ▲ | x4132 2 hours ago | parent [-] | | to which distros? how do you ensure fairness? Do you report this to the maintainer of Red Star OS (north korea)? The kernel security team was given the heads up a month ago. At that point it is their decision. |
|
|
|
|
| ▲ | egonschiele 6 hours ago | parent | prev | next [-] |
| Why don't all these distro maintainers add their own back doors, and mine crypto off our machines without our knowledge? Surely, there is some legal fine print they can add that would let them do that. There is very little incentive for them to maintain these systems, given how thankless and underpaid the work is. |
|
| ▲ | holowoodman 7 hours ago | parent | prev | next [-] |
| I can accept (and welcome) disclosure before there are patches. But publishing a working exploit together with the disclosure before patches are available is really really irresponsible, maybe even criminal. And no, the proposed mitigations don't help with half of the distributions out there... |
| |
| ▲ | staticassertion 3 hours ago | parent | next [-] | | The patch was available. Upstream just doesn't communicate vulnerabilities because they have a personal dispute with distros about how to handle patching. | |
| ▲ | SoftTalker 6 hours ago | parent | prev | next [-] | | AIUI the exploit was fairly low-effort once you knew the vulnerability. So publishing one probably didn't change the landscape much. | |
| ▲ | akerl_ 6 hours ago | parent | prev | next [-] | | > maybe even criminal What’s your theory here? What crime? | | |
| ▲ | holowoodman 4 hours ago | parent | next [-] | | Exploits are sold and used as weapons, sometimes even weapons of war. Which in many places is criminal, except under very restrictive circumstances. Also, all kinds of aiding and abetting. | | |
| ▲ | akerl_ 4 hours ago | parent [-] | | What does that have to do with this comment thread? Copying from the comment I was replying to: > But publishing a working exploit together with the disclosure before patches are available is really really irresponsible, maybe even criminal |
| |
| ▲ | michaelmrose 6 hours ago | parent | prev [-] | | If it's not a crime I see no reason not to work with partner nations to build responsible disclosure into a legal framework everywhere because it pretty obviously should be. | | |
| ▲ | akerl_ 6 hours ago | parent | next [-] | | If you wanted to somehow make coordinated disclosure into a legal framework, that would be an interesting and complex project. But it’s not the law anywhere I’m aware of today, and I’d not support it becoming a law. | |
| ▲ | jodrellblank 5 hours ago | parent | prev [-] | | You know companies are allowed to pay people to find vulns, and pay people bug bounties? Instead of that, you’d rather make the law compel free individuals to limit their speech, or to hand over their work to big companies privately, so big companies can save money? That doesn’t sound like a nice future, if it’s even enforceable at all. |
|
| |
| ▲ | wang_li 6 hours ago | parent | prev | next [-] | | There is an alternative mitigation you can use which blacklists the function calls when the affected code is not built as a kernel module. | |
| ▲ | semiquaver 7 hours ago | parent | prev [-] | | Patches were available for nearly a month. | | |
| ▲ | ori_b 7 hours ago | parent | next [-] | | Basic care would involve making sure the patches had made it into the wild before ending the embargo, and nagging the relevant parties if not. Edit: As of this writing, most distros including Redhat, Fedora, Debian Stable, do not have patches available in the package repos, though they're being actively worked on. | | |
| ▲ | sgjohnson 6 hours ago | parent | next [-] | | Not true, if there’s any evidence of the exploit being used in the wild, it’s much more responsible to release immediately. Considering that the patches have been available for a while, someone surely reversed what they were for and was actually exploiting this in the wild. In the age of AI, I’d argue that “responsible disclosure” is dead. Arguably even in closed source projects. Just ask Claude to do a diff between the previous version and to see whether anything fixed in there could have had security implications. We’re not there yet, but very soon the only way to responsibly disclose a vulnerability will be immediately. | | |
| ▲ | ori_b 6 hours ago | parent [-] | | But they didn't release immediately -- they waited a month, but forgot to tell the distros, and forgot to check if waiting a month had actually lead to distros picking up the patches and shipping them. |
| |
| ▲ | semiquaver 6 hours ago | parent | prev | next [-] | | “Made it into the wild?” Patches landed a month ago. Should they also wait until my linksys router from 2018 has a patch ready? | | |
| ▲ | ori_b 6 hours ago | parent | next [-] | | Patches are still in the process of landing in most major distros as of the time of this writing. Most users are not able to get an update through their distro's packaging mechanisms. | |
| ▲ | SoftTalker 6 hours ago | parent | prev [-] | | It's a local vulnerability at least. How many people do you let log in to your router? With the way linux is used these days, I'd guess the number of systems with untrusted local users is pretty limited. Even with shared hosting, you generally have root in your VM or container anyway. Unless this enables an escape from that? Still the risk that people who run "curl | bash" without care could get bitten, but usually its "curl | sudo bash" anyway... | | |
| ▲ | sgbeal 6 hours ago | parent | next [-] | | > Even with shared hosting, you generally have root in your VM or container Lots of shared hosters don't use VMs or containers. It's some arbitrary number of people logging in to a shared system, each one with a home directory under /home/THE_USER_NAME. i've had several such hosters over the years (thankfully not right now, though). | |
| ▲ | sjpb 5 hours ago | parent | prev | next [-] | | > With the way linux is used these days, I'd guess the number of systems with untrusted local users is pretty limited Things like HPC clusters are multiuser & don't entirely trust their users. If they did we wouldn't need users/groups/permissions etc in the first place. | | |
| ▲ | cozzyd 3 hours ago | parent [-] | | Yes. Not even just HPC clusters, shared login servers are pretty common in academia. I manage several in our lab. Sure, we mostly trust the users against malice more or less but not so much against incompetence. A malicious vscode plugin would run rampant in this space. And then there are users running claude-cli and friends who may just find it convenient to use a local root exploit to remove obstacles. |
| |
| ▲ | dist-epoch 6 hours ago | parent | prev | next [-] | | With this exploit it's trivial to jump from one container to another neighbor container. I've tried it and succeeded. So containers don't protect you, only a VM. | | |
| ▲ | SoftTalker 6 hours ago | parent [-] | | So anyone pulling a malicious dockerfile jeopardizes the host? That would be bad... | | |
| ▲ | ori_b 3 hours ago | parent [-] | | ...no shit? Why do you think people care about this issue? |
|
| |
| ▲ | michaelmrose 6 hours ago | parent | prev [-] | | Local root is part of the path to escaping |
|
| |
| ▲ | staticassertion 3 hours ago | parent | prev | next [-] | | That's mostly on Greg, a bit on the author. | |
| ▲ | GrayShade 6 hours ago | parent | prev [-] | | Fedora is patched. |
| |
| ▲ | em-bee 6 hours ago | parent | prev | next [-] | | only for versions 6.19.12 & 6.18.22. older versions (which are used in distributions) are not ready yet. | |
| ▲ | 6 hours ago | parent | prev [-] | | [deleted] |
|
|
|
| ▲ | baggy_trough 7 hours ago | parent | prev | next [-] |
| Why wouldn't the linux security team notify the main linux distributions? |
| |
| ▲ | staticassertion 3 hours ago | parent | next [-] | | Greg and Linus do not believe in the entire concept of "vulnerabilities" in the Linux kernel and do not believe in the methods that distros use like cherry picking, therefor they typically are against issuing CVEs, scoring CVEs, describing vulnerabilities at all (if you use the word "vulnerability", your patch will be rejected), etc. It's fundamentally their position to not work the way that you describe. | | |
| ▲ | baggy_trough 3 hours ago | parent [-] | | That doesn't really seem to map onto the situation since Greg himself released a 6.12 with the patch earlier today. | | |
| ▲ | staticassertion 3 hours ago | parent [-] | | I don't know what you mean at all. I'm just repeating known kernel policy here. What does 6.12 have to do with anything? | | |
| ▲ | baggy_trough 2 hours ago | parent [-] | | What is your interpretation of why Greg KH released a version of 6.12 with this fix in it today, other than to help distributions avoid this vulnerability? |
|
|
| |
| ▲ | bluepuma77 5 hours ago | parent | prev | next [-] | | Well, how do you define main Linux distros? Isn’t the next smaller one not receiving the info always complaining? | | |
| ▲ | throw0101a an hour ago | parent | next [-] | | > Well, how do you define main Linux distros? Isn’t the next smaller one not receiving the info always complaining? For a first approximation: Ubuntu, Debian, RHEL(-derived) to begin with, and SuSE which is in EU/server space (AIUI): * https://commandlinux.com/statistics/most-popular-linux-distr... * https://commandlinux.com/statistics/linux-server-market-shar... Seems like Gentoo, Arch, Mint, and Slackware could also be as well: * https://distrowatch.com/dwres.php?resource=major U/Deb/RHEL are 'upstream' of a lot of other projects, and fixes would trickle down to Rocky, Alma, etc. Perhaps VM OS in cloud (AWS, Azure) could be a usage gauge as well. | |
| ▲ | baggy_trough 5 hours ago | parent | prev [-] | | Isn't there already a distro security list for this purpose? | | |
| |
| ▲ | bonzini 6 hours ago | parent | prev | next [-] | | Partly they already have enough on their plate. It's up to the reporter to pick how to handle the disclosure, and unless a specific maintainer chooses to handle it, the Linux security team clearly says they won't. Partly they have a strong belief that all kernel bugs are vulnerabilities and all vulnerabilities are just bugs; sometimes taken to the extreme in both ways (on one hand this case where the vulnerability is almost ignored; on the other hand, I saw cases where a VM panic that could be triggered only by a misbehaving host—which could just choose to stop executing the VM—was given a CVE). | | |
| ▲ | staticassertion 3 hours ago | parent | next [-] | | This couldn't be more backwards. This has literally nothing to do with bandwidth. The kernel is a CNA, they are explicitly the ones to do this. The reason they don't is because Linus and Greg have repeatedly, publicly stated that they don't want to because they don't believe that vulnerabilities conceptually make sense for the linux kernel and they refuse to engage in the process. | |
| ▲ | baggy_trough 6 hours ago | parent | prev [-] | | Seems a little crazy. Somebody should evaluate blast radius and do appropriate distro notifications in a case like this (I presume the impact was part of the disclosure, so not much extra work). | | |
| ▲ | seanhunter 5 hours ago | parent [-] | | You know the linux kernel is a free software project right? If you think “somebody should” do a thing but you aren’t prepared to do it yourself then you should maybe ask for a full refund. | | |
|
| |
| ▲ | shimman 3 hours ago | parent | prev | next [-] | | Because one of them might have an incentive to not do so. In this case it's because they want to advertise their own company. | |
| ▲ | 7 hours ago | parent | prev [-] | | [deleted] |
|
|
| ▲ | skywhopper 7 hours ago | parent | prev | next [-] |
| I think it’s reasonable to expect folks in the security community who go to the trouble of creating a website detailing security vulnerabilities in specific listed software to pre-notify the security teams of that software. The CopyFail website calls out Ubuntu and Red Hat specifically, but apparently the author of the site did not inform them of the issue? But even if you think making unethical decisions in personal self interest is something no one should be criticized for, surely the Linux kernel team ought to have some process for notifying the top distributions of an upcoming LPE, just out of practicality. |
| |
| ▲ | semiquaver 7 hours ago | parent [-] | | In what sense do you believe that the reporter did not notify the security team of the relevant software? The vulnerability is in the kernel. Reporter responsibly disclosed using the kernel’s security report mechanism and waited until a patch was ready. Distros are downstream of kernel, that doesn’t entitle them to expect to be contacted directly by every security reporter. That’s not on them. Distros that are big enough should be plugged into the linux security team for notifications. Security researchers cannot be held responsible for broken lines of communication within the org charts of projects that they study. They’re providing a valuable public service already, how much more do you want? | | |
| ▲ | ragall 6 hours ago | parent | next [-] | | > that doesn’t entitle them to expect to be contacted directly by the reporter Yes it does. That's how it's always been done and distros can ship a fix well before it ends up in a kernel release. | |
| ▲ | michaelmrose 5 hours ago | parent | prev [-] | | It is suggested that they out of an abundance of caution and 5 or 6 emails. If this is entirely to much to expect we can always help them by mandating that they spend 6 figures annually meeting a much more robust set of requirements that will include notifying all possible affected parties down to Hannah Montana Linux devs if any still exist. Any strategy that assumes that the rest of the world is functional or makes you personally responsible for fixing all of it is equally broken but there is a reasonable middle ground and sending a few more emails lies within it | | |
| ▲ | semiquaver 5 hours ago | parent [-] | | > we can always help them by mandating that they spend 6 figures
Who’s we? Mandate with what authority?AWS and GCP are downstream another level. Should the reporter also have worked with them? And their customers? And the customers of their customers? IMO this whole discussion seems like people are annoyed by the security researchers doing god’s work and wish they didn’t exist or think that they should be fully subservient to the projects and companies they are helping for free. The bugs were there before the researchers revealed them!! |
|
|
|
|
| ▲ | bossyTeacher 6 hours ago | parent | prev [-] |
| > expecting people to always do the right thing is fantasy level thinking. Most people in tech think like the techie in this comic strip. https://xkcd.com/538/ |
