Dear sweetheart, On Thu, Nov 05, 2009 at 01:12:58AM +0100, Claire beuserie wrote: > Yes, I know, I was present in the room when Illja gave the talk in 2006 at > the CCC Kongress and the two OpenBSD developers in the room decided to > completely ignore the exploit he showed until Miod reproduced it two weeks > later...
http://events.ccc.de/congress/2006/Fahrplan/day_4.en.html: Schedule Day 4: 30.12.2006 11:30 Unusual bugs Ilja http://openbsd.org/errata39.html: 017: SECURITY FIX: January 3, 2007 i386 only Insufficient validation in vga(4) may allow an attacker to gain root privileges if the kernel is compiled with option PCIAGP and the actual device is not an AGP device. The PCIAGP option is present by default on i386 kernels only. http://blogs.23.nu/ilja/2007/01/: "So one of the things I noticed after my unusual bugs talk, the OpenBSD guys fix bugs _FAST_. I mean really fast ! bugfix and announcement within a few days. Not many vendors can pull that off." Two weeks, eh? Want it in a black frame with a white caption reading "EPIC FAIL"? I'd start gimp for that. > > If you are not an OpenBSD developer, don't make public statements like that, > if OpenBSD developers decide to sit on a bug for a couple of months, it does > not justify their full disclosure conflict where bugs are swept under the > carpet Newsflash: I decide what I write on a public mailinglist. The rest of the sentence doesn't even parse, but i think it's something like "Theo once hurt my feelings on the internets". What i always wanted to know, how do I join the secret Facebook group of people that have been flamed by Theo or another OpenBSD developer? Do you have an IRC channel? Is an emo haircut and a pic from weird angles really required in the application? I should have roasted you in the first reply like my guts told me to, instead i gave you the benefit of the doubt, my mistake. Doesn't happen again. Promise. Misc'ed for entertainment > > On Thu, Nov 5, 2009 at 12:55 AM, Tobias Ulmer <[email protected]> wrote: > > > On Wed, Nov 04, 2009 at 01:46:52PM +0100, Claire beuserie wrote: > > > Dear Tobias, > > > > > > what you stated contradicts what Otto and Art posted. > > > > Ehm, no it doesn't. There are two different components, the actual null > > pointer dereference and the ability to map a page to address zero. > > > > What i'm pointing out is that mapping a page at adress 0 isn't new. It's > > also not a bug (this is true for the executable stack as well, as Art > > points out with some sarcasm). The ability for a programm to do so was > > recognised in 2006 by some developers, and prevented by a change to the > > kernel in 2008. > > > > It only becomes a problem once someone finds a NULL pointer dereference > > in the kernel. One such problem was discovered recently, and was fixed > > asap. > > > > If you had done some research for the file i linked to, you would find > > that Ilja gave a talk in 2006, called "unusual bugs", where he > > demonstrated this class of vulnerabilities on OpenBSD. I'm sure plenty > > of Linux developers were sitting in the audience as well, laughing about > > us... > > > > Again, the bug was fixed asap: > > ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/i386/017_agp.patch > > > > > > > > > > Are you to be quoted as an OpenBSD developer on this? > > > > Certainly not, since I'm no OpenBSD developer. > > > > > > > > Salutions, > > > > > > Claire > > > > > > On Wed, Nov 4, 2009 at 3:46 AM, Tobias Ulmer <[email protected]> wrote: > > > > > > > On Wed, Nov 04, 2009 at 02:57:59AM +0100, Claire beuserie wrote: > > > > > Hi, > > > > > > > > > > On Wed, Nov 4, 2009 at 12:58 AM, Theo de Raadt < > > [email protected] > > > > >wrote: > > > > > > > > > > > 2) At least three of our developers were aware of this exploitation > > > > > > method going back perhaps two years before than the commit, but > > we > > > > > > gnashed our teeth a lot to try to find other solutions. Clever > > > > > > cpu architectures don't have this issue because the virtual > > address > > > > > > spaces are seperate, so i386/amd64 are the ones with the big > > impact. > > > > > > We did think long and hard about tlb bashing page 0 everytime we > > > > > > switch into the kernel, but it still does not look attractive > > from > > > > > > a performance standpoint. > > > > > > > > > > > > > > > > I'm confused. > > > > > > > > > > That came out a bit weird: are you saying you knew about the bug for > > 2 > > > > years > > > > > but did not fix it? > > > > > > > > It's not "the bug", it's a class of vulnerabilities that allows to > > > > exploit a NULL pointer dereference under certain circumstances. > > > > > > > > http://packetstorm.linuxsecurity.com/poisonpen/8lgm/ptchown.c > > > > is commonly cited as the oldest public source (1994). Use google for > > > > more. > > > > > > > > > > > > > > > > > > > c.b- > > > > > > > > -- > > > > Sent from my noname server. > > > > > > > > -- > > Sent from my noname server. > > -- Sent from my noname server.
