Re: [PATCH] Documentation/security-bugs: overhaul

From: Vegard Nossum
Date: Mon Jun 06 2022 - 10:23:21 EST


On 6/3/22 08:49, Willy Tarreau wrote:
> On Thu, Jun 02, 2022 at 05:34:48PM +0200, Vegard Nossum wrote:
>> I think there's also an argument for encouraging reports whether the
>> person has a patch or not, presumably it is better to know about an
>> issue so it can be prioritized against all other known issues, no?
>
> It depends. For a few months now we've seen a huge increase of reports
> for things ranging from "if I modify this driver this way I can make it
> fail so I think it could be insecure" to "this outdated driver that is
> not enabled in any distro anymore has a one-byte info leak bug, can I
> get my CVE". There have been weeks with 2 of them every single day. It's
> obvious that there's a quest of a CVE to be held as a trophee, and that
> for a CVE, a security bug is needed, and that for this it ought to be
> demonstrated that some random bugs in certain circumstances could have
> a security impact. Thus there is a huge bias.
>
> I would really like it if we could get back to what works fine: use> the security list only for currently exploitable bugs that are not
> trivially worked around, and please use public lists for everything
> else. It takes way longer to fix a bug in a small team having to
> forward messages to maintainers, trying to fix in a small group without
> knowing if we're going to break someone's use case than it takes when
> a non-critical issue is discussed publicly. And security fixes that
> cause regressions are the worst that can happen because they discourage
> users from regularly applying fixes. As such the vast majority of bugs
> ought to be discussed publicly, on the relevant lists. Bug given that
> some reporters are not interested in getting a bug fixed but just in
> getting a trophee, that's difficult to get a patch from them and to
> move the discussion to a public place where the fix will just be
> handled like with any regular bug.

I think this points to a bigger problem, but not with CVEs being held up
as trophies. There's already a huge monetary incentive to find bugs and
sell them as 0-days so IMHO we _should_ be encouraging people to find
bugs and either fix or report them, whether privately or publicly. If
having CVEs helps with that, that ought to be a good thing...

If you think a reported issue is not security-relevant, can you not
simply ask/encourage the reporter to make a public post instead?

If the security team is swamped with legitimate, security-relevant
reports, then that sounds like an issue with manpower and/or
organization. In my (admittedly limited) experience, Linus tends to be
one of the first to reply, so maybe having a designated person or group
to triage issues (maybe in a rota system) before engaging the rest of
the team could take some of the pressure off?

> I don't know how to adjust the wording but I think that the spirit is
> there. By the way there's something I would like to see added as well
> to this, which is the the ultimate goal is that a bug fixed is perfectly
> understood and documented. So either the details of the cause of the bug
> are in the commit message, or the researchers prefer not to publish them
> yet because they intend to present them at a conference or in a blog
> article (pretty common), which will serve as a reference for to get all
> the gory details. But in this case there must be a reasonable delay, it's
> not acceptable that the details of the problem are withheld for months.
>
> As such I think that we could mention something along:
>
> Upon reporters' request in case a forthcoming presentation of the issue
> is planned, it may occasionally be accepted to temporarily keep out some
> of the detailed impacts of the issue, however the security team reserves
> the right to publicize these details if no other publication happens in
> a reasonable time frame or as soon as the fixes are found to cause a
> regression.
>
> Because quite frankly, not being able to explain exactly why a patch is
> done this way and not slightly differently is not acceptable.

This unfortunately directly contradicts the current policy as stated:

"All other information submitted to the security list and any followup
discussions of the report are treated confidentially even after the
embargo has been lifted, in perpetuity."

So again, unless there's a clear consensus to change this, I wouldn't be
comfortable making the change now.

If I could make a different suggestion (which is in the same spirit as
the rewrite, actually), the security team could encourage the reporter
to report to linux-distros once there is a patch or the patch is public
-- that way, it's: 1) not on the security team to disclose anything, 2)
distros get a heads up on the patch, and 3) everybody gets to know about
the security impact of the bug when it is eventually posted to
oss-security within 1-2 weeks.

Thanks for your comments/explanations, it certainly helps to have more
perspective.


Vegard