Security patches

Ken Moffat ken at linuxfromscratch.org
Wed Aug 17 16:16:13 PDT 2005


On Tue, 16 Aug 2005, Archaic wrote:

> On Tue, Aug 16, 2005 at 09:47:06PM +0100, Ken Moffat wrote:
> >
> >  This vulnerability should be low risk for most of us, but I think it's
> > the sort of thing that ought to be applied.
>
> Agreed.
>

 Hmm, I think I should have checked the patches list before starting
this thread, it's already been committed.  Thanks, Jim.

> > The question is, what do other people, particularly LFS editors,
> > think?  Should there be a severity threshold, and less critical
> > patches need to be discussed on this list, or should I just go ahead
> > and commit ?
>
> Well, most things should be mentioned even if there is no discussion
> needed. It at least gives the OP the chance to layout the problem and
> the relevant URL's (ensure {b,}lfs-dev and lfs-support are sent the
> email for the sake of those who don't follow all the lists). If the
> patch is tested and known to not break something obvious, then by all
> means commit it (testing branches and other specialty branches may have
> more specific guidelines).
>

 If people don't want to follow -security, I don't think spamming the
support lists will help.

> If it breaks something subtly, that would hopefully be found as more
> people build trunk and BLFS, which also implies that the closer to a
> release we get, the more rigorously the editor should test *before*
> committing. At the very minimum of testing is to create a test case and
> trigger the vuln in the non-patched software then try with the patched
> software instead of taking some distro's word that said patch works
> (they've been wrong before).
>
> All IMO.
>

 And in terms of post-release errata, I suppose I have to swear by
everything I hold holy that it works and fixes the vulnerability.  Or
maybe just swear on the grave of my AmigaOne.  Well, I don't have the
right mindset to fully concoct an exploit, but in this case the patch
prevented a contrived filename from running 'exit' so I'm more or less
OK this time.  But more generally, that is a very high standard.

> >   Do people think the patches need to be reviewed for apparent
> > correctness, or is the opinion of one editor that a patch looks
> > reasonable sufficient ?
>
> Well, we do have the opportunity to review the commit message. :)

 If we're subscribed to -patches.

 Anyway, thanks for the comments.  I'll add it to the errata for stable
in the morning, then announce it on -security.

Ken
-- 
 das eine Mal als Tragödie, das andere Mal als Farce




More information about the lfs-dev mailing list