upvote

points

by eschaton19 hours ago |
comments
upvoteby tptacek19 hours ago|
next
[-]
They're literally just restating the argument for full disclosure security. This is one of the oldest debates in information security.
reply
upvoteby 0x019 hours ago|
parent|
[-]
The disclosure doesn't appear very "full". Looks like this was slipped into mainline linux among dozens of other mostly-irrelevant "CVEs" with nobody highlighting the fact that it is in fact dirty-cow-on-steroids.

https://x.com/spendergrsec/status/2049566830771970483

https://lore.kernel.org/linux-cve-announce/2026042214-CVE-20...

Or is everyone expected to upgrade and reboot every 48 hours for all eternity and just deal with potential regressions all the time?

I think this reflects poorly on the original reporters. If you have a weaponized 700-byte universal local root exploit script ready to go, perhaps you should coordinate with major distros for patches to be available before unleashing it on the world. No matter how "veteran" you are.

reply
upvoteby tptacek19 hours ago|
parent|
[-]
Um, yes, everyone is expected to upgrade and reboot on a moment's notice. No policy or norm you come up with will change that.

(This bug does not technically require a reboot to mitigate).

reply
upvoteby judemelancon17 hours ago|
parent|
[-]
I think I must misunderstand. Are you saying that you upgrade and reboot every production system that you administer to apply each commit to the kernel (branch it's using) essentially immediately? That doesn't make sense to me for a few reasons, but I struggle to find a different reading that applies "upgrade and reboot on a moment's notice" to the "slipped into mainline linux" scenario. Kindly help me to do so.
reply
upvoteby tptacek17 hours ago|
parent|
[-]
No: your posture with respect to having to cycle servers is a super complicated subject and you address it both with process and with architecture (for instance: you can be blasé about things like CopyFail if you don't allow multitenant shared-kernel in your design in the first place). But no matter what process and design you have, if you're hosting sensitive workloads, you always have to be in a position where you can metabolize having to cycle your servers.

It's a category error to talk about a disclosure event like this as something that would destabilize someone's fleet operations. The Linux kernel is fallible. So is the x64 architecture. You already have to be ready to lock things down and reboot (or mitigate) at a moment's notice.

Remember: whatever else grumpy sysadmins have to say about this, Xint are the good guys. Contrast them with the bad guys, who have vulnerabilities just as bad as CopyFail, but aren't disclosing them at all --- you only find out about them when it's discovered they're actively be exploited. There's no patch at all. There isn't even a characterization of how they work, so that you could quickly see what to seccomp. That's the actual threat environment serious Linux shops operate in.

LPEs are not rare.

reply
upvoteby judemelancon16 hours ago|
parent|
next
[-]
Oh, I thought you meant "everyone" in a sense including actual human persons and the devices on their home network.
reply
upvoteby 0x016 hours ago|
parent|
prev|
[-]
I find it curious to call someone dropping a weaponized root exploit before major distros or even LTS kernel git branches have patches ready "good guys". This could have been handled with much more grace.
reply
upvoteby sersi5 hours ago|
parent|
next
[-]
To be fair, once Xint gave the heads up and the kernel team committed a patch, what was Xint supposed to do? Keep asking the kernel security team to backport patches for the LTS kernels?

As soon as a patch is committed, the clock starts ticking, the exploit will be discovered by reverse engineering recent commits. The commit was made on April 1st, Xint disclosed it on the 29th. If the Kernel Security team had wanted to, they had 28 days to backport patches in the LTS branches...

So, I wouldn't put any blame on Xint there.

reply
upvoteby tptacek15 hours ago|
parent|
prev|
[-]
Again: I made the actual distinction between bad guys and good guys clear. Good guys don't become bad guys simply because kernel security is an inconvenience to you.
reply
upvoteby eschaton6 hours ago|
parent|
[-]
There are more than just good guys and bad guys; in particular, there are also opportunists.

Opportunists are the ones who will sell a 0day to bad guys. Or who will drop a 0day publicly to promote their services. And they’ll fight tooth and nail against any actual legal obligation to engage in responsible and coordinated disclosure, because they make more money without that.

reply
upvoteby tptacek1 hours ago|
parent|
[-]
Seems like a classification you just made up to navigate a message board debate: the category that equates commercial vulnerability research for security products and people who sell zero-day vulnerabilities to bad guys.
reply
upvoteby 19 hours ago|
prev|
next
[-]
deleted
reply
upvoteby akerl_19 hours ago|
prev|
[-]
What the heck is up with people today.

Using quotes around something where you’re actually doing a strawman paraphrase of another commenter you disagree with is bad form.

reply
upvoteby stavros13 hours ago|
parent|
[-]
It was clear that the original comment didn't say that, since we can see it right above. It was clear to me that the GP was using quotes as a way to use direct speech, not to imply that the GP literally said those words.
reply