oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request - Linux kernel: VFAT slab-based buffer overflow

From: Henri Salo <henri () nerv fi>
Date: Tue, 26 Feb 2013 22:42:41 +0200
On Tue, Feb 26, 2013 at 01:31:59PM -0700, Kurt Seifried wrote:

I suspect part of the problem is scale. Most people don't understand
the scale at which the Linux Kernel and vendors handle bug fixes and
code changes. External people simply see a few poorly handled security
related issues and probably think "well how hard can it be to properly
a few extra security flaws?" but they don't see that those 5 security
issues were buried in 10,000 other code fixes. The resources needed to
audit every code change for a security impact simply aren't available
(and even if we had enough talented people who exactly is going to pay
them all?).


Why should they be paid? I'd say problem is that there isn't lots of people who
understand aspects needed to notice a security vulnerability in Linux kernel
and it's even more difficult to fix it without breaking something else.

Money is not the only thing getting stuff done.

--
Henri Salo
Previous By Date Next
Previous By Thread Next

Current thread: