Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20181214130755.GA24633@openwall.com>
Date: Fri, 14 Dec 2018 14:07:55 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Jann Horn <jannh@...gle.com>
Subject: Re: Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7)

On Thu, Dec 13, 2018 at 09:02:12PM +0100, Yves-Alexis Perez wrote:
> On Wed, 2018-12-12 at 15:24 +0100, Solar Designer wrote:
> > A question to ask may be: out of Linux kernel vulnerabilities being
> > patched, are there more high and critical overall severity (e.g., as
> > risk impact times risk probability) vulnerabilities found in "too
> > recent" kernels than there are high and critical severity untracked
> > vulnerabilities (also or instead) affecting "sufficiently old" kernels?
> 
> Data collected by Kees and regularly updated might help here. See 
> https://events.linuxfoundation.org/wp-content/uploads/2017/12/Overview-and-Recent-Developments-Kernel-Self-Protection-Project_Kees-Cook.pdf#%5B%7B%22num%22%3A22%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C0%2C446.4%2C0%5D
> for the last edition (sorry for the weird anchor, in case it breaks it's on
> slide 5)

Thanks!  Slide 4 says average lifetime among 3 critical issues is 5.3
years, and among 79 high severity issues is 5.6 years.  (And then
there's over a thousand of medium and low severity issues.  Ouch.)

However, to answer my question above we need median and not average.
For example, (1, 2, 3, 16) has an average of 5.5 years, but in that
example by choosing a kernel version that is 2.5 years old, which is way
below the average, we'd nevertheless avoid half of the issues.

Slide 5 is in fact more relevant: it's an illustration showing
"critical & high CVE lifetimes" against kernel versions.  Per this
illustration, we can see that my example of 3.10 (as RHEL7's base
kernel) is hit by many low-numbered issues, but is hit by only two in
the 67 to 82 range, which is 1/8 or 12.5% of issues found that recently.
This is consistent with what I said about it having needed to mature
"for a few years and a few hundred revisions" after RHEL7 was first
released.  I think it became mature enough just recently.  It didn't
feel mature enough to me when I ran Trinity for a few days (with many
restarts) on a RHEL7-derived system two years ago.  I hope those crashes
have since been rediscovered with superior fuzzers allowing for easy
reproduction, and patched.  We've seen major improvement in fuzzing.

Somehow Nicholas' reply below isn't part of the same thread (no proper
In-Reply-To header), so let me bring it to the thread:

https://www.openwall.com/lists/oss-security/2018/12/13/14

On Thu, Dec 13, 2018 at 06:07:32PM -0500, Nicholas Luedtke wrote:
> We have also been compiling and presenting the CVEs on a per stream
> basis at https://www.linuxkernelcves.com because the question of which
> upstream stable branch to choose has been asked on a enterprise level
> many times. Of course, once you choose once you still have to track the
> changes (or lack there of).

This is also very interesting and relevant.  As the website (and GitHub
README.md) acknowledges:

"This is currently autogenerated and will go through testing before any
promises of accuracy are made.  The eventual goal would be to have a
community curated list of CVEs along with when the code was introduced
and when it was fixed."

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.