oss-sec mailing list archives
RE: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access
From: Shachar Raindel <raindel () mellanox com>
Date: Thu, 2 Apr 2015 16:39:05 +0000
-----Original Message----- From: Roland Dreier [mailto:roland () purestorage com] Sent: Thursday, April 02, 2015 7:33 PM To: Shachar Raindel Cc: oss-security () lists openwall com; <linux-rdma () vger kernel org> (linux-rdma () vger kernel org); stable () vger kernel org Subject: Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access On Thu, Apr 2, 2015 at 12:52 AM, Shachar Raindel <raindel () mellanox com> wrote:This is a common practice in the security industry, called "responsible disclosure." Following the kernel security bugs policy [1], we reported it to the kernel security contacts few days before making the issue public. Few days after issue became public, we published a clear report to all of the relevant mailing lists.Isn't the point of responsible disclosure to delay disclosure until a fix is in place? What's the point of sending a notification to the kernel security team if you're going to disclose publicly before the upstream kernel is fixed?
We delayed the disclosure until most major Linux vendors released a fix for the issue, give or take in synchronization. The Linux security contact list only guarantee secrecy for 7 days. We therefore contacted them only close to the date at which fixes were going to be released, to follow their expectations for period of time between contact and public disclosure. Thanks, --Shachar
Current thread:
- Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Roland Dreier (Apr 01)
- RE: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Shachar Raindel (Apr 02)
- Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Roland Dreier (Apr 02)
- RE: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Shachar Raindel (Apr 02)
- Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Roland Dreier (Apr 02)
- <Possible follow-ups>
- Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Yann Droneaud (Apr 02)
- RE: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Shachar Raindel (Apr 02)
- Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Yann Droneaud (Apr 02)
- Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Haggai Eran (Apr 02)
- Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Yann Droneaud (Apr 02)
- RE: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Shachar Raindel (Apr 02)
- Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Yann Droneaud (Apr 02)
- Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Haggai Eran (Apr 02)
- Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Solar Designer (Apr 02)
- RE: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Shachar Raindel (Apr 02)
- RE: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Shachar Raindel (Apr 02)
- Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Yann Droneaud (Apr 02)