[Dailydave] Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1)

[Steve Grubb]

On Saturday 11 November 2006 16:46, L.M.H wrote:
> OK, enough FUD already.

First let's say that FUD is the wrong word to use here. You are the one 
spreading FUD. Dave is not causing panic or a sense of "oh shit". He is 
merely point out the obvious...you have to either have privileges to perform 
mount or physical access to the machine. If all these are is DoS and you have 
physical access, why not just yank the power cord? Until an exploit is 
written, these are just DoS crashes.

> There's something that strikes me, why a bug 'with no security
> implications' is marked as private to Red Hat employees?

Because that is the responsible thing to do. If a bug is not assessed that 
could be a security issue, it should be private until a determination has 
been made one way or another. This also brings up the point that you are 
posting bugs I found to the MoKB as if you found them and not giving me 
credit. This also goes for the squash double free (which the kernel catches) 
and the ext3 softlock up - both of which were in bugzilla a while back. There 
are also bugs filed for hfs and gfs2 - which simply crash the system.

These bugs do need to be fixed based on robustness criteria not necessarily 
security criteria. It is normal for people to have a disk crash and want to 
mount the corrupted disk in effort to salvage what they can. This is the main 
reason these bugs need to be fixed. If you have root to do mounting, there 
are so many ways to crash your own machine. The need to make file systems 
more robust is the reason that I worked on fsfuzzer with you.

If you have physical access to a machine, you can put your favorite distro in 
the CD-Rom tray and install anything you want on the system. So, no I do not 
believe this falls into security fixes because there are easier ways to 
compromise a box if you are root or have physical access.

-Steve

PS the above is not FUD since I'm not spreading fear.