[7429] in bugtraq
Re: Fwd: Any user can panic OpenBSD machine
daemon@ATHENA.MIT.EDU (David Maxwell)
Tue Jul 28 19:17:26 1998
Date: Tue, 28 Jul 1998 09:45:06 -0300
Reply-To: David Maxwell <david@WWW.FUNDY.CA>
From: David Maxwell <david@WWW.FUNDY.CA>
X-To: "Angelos D. Keromytis" <angelos@DSL.CIS.UPENN.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199807280125.VAA15730@adk.gr>; from Angelos D. Keromytis on Mon,
Jul 27, 1998 at 09:25:39PM -0400
On Mon, Jul 27, 1998 at 09:25:39PM -0400, Angelos D. Keromytis wrote:
>
> In message <19980727180938.41315@dimensional.com>, Michael Fuhr writes:
> >
> >disclosure, isn't it? I for one was appalled at the simplicity of the
> >exploit in what's claimed to be one of the most secure operating
> >systems around, especially since it doesn't appear to be a problem
> >with the other BSDs.
>
> While I'll agree that this is a very lame bug (in the sense that it
> shouldn't exist), one can hardly call it an exploit. It causes a
> machine to crash, but we already know how to do that in 32 different
> ways (and just as easy -- they don't even require a compiled program)
> once you can login (and for some OSes, even without logging in :-)
>
> I don't know why the person who complained did so, but I think he was
> unjustified. You were right to point that this is a full disclosure
> list.
> - -Angelos
>
> PS. The bug was fixed about 1 hour ago.
Sigh. Yes, this is a full disclosure list, but without starting the whole
discussion again - it has been mentioned before that one ought to give a
vendor a reasonable opportunity to respond to any issues before posting them
here. People have given companies like Microsoft (whom I'm no fan of) a week
to respond to more serious issues than this, as long as the vendor is being
responsive and responsible. The OpenBSD PR was ticketed about 24 hours before
your reply stating that it had been fixed - would 24 hours have been an
unreasonable delay - considering that OpenBSD's group was aware of the problem
(hence the PR), considered it 'serious', 'high'-priority, and 'critical', and
marked it as confidential 'yes'? To the earlier response regarding the fact
that this was posted to an OpenBSD list I say this: I doubt that many hackers
monitor the OpenBSD lists in hopes of picking up bugs, while I'm sure many
do monitor Bugtraq. All public forums are not equivalent - I do not feel
distribution in one automatically merits distribution in any other without
consideration.
David Maxwell
BTW: I don't even run an OpenBSD box, this just felt like a bit of hit-and-run
to me.
