[ale] CRITICAL LINUX FLAW OPENS THE DOOR TO FULL ROOT ACCESS (RHE)

Solomon Peachy pizza at shaftnet.org
Tue May 22 19:33:55 EDT 2018


On Tue, May 22, 2018 at 06:46:03PM -0400, Steve Litt via Ale wrote:
> I can't blame you though. It was only a matter of time. Put Jeffrey,
> Solomon and me on the same list and you're going to get a systemd
> discussion. You just lit the fuse.

Going back to the original subject...

I remember RHL having a bug similar to this (ie improperly escaped shell 
script arguuments in their DHCP client shell scripts) sometime in the 
2000-2001 timeframe, that it was basically due to copy-pasting an ISC 
example, and most other distos being independently affected.  I also 
recall that for some time afterwards, the ISC DHCP client's sample 
scripts continued to be rife with similar bugs, and that there have been 
a veritable laundty list of other security issues since then, including 
two so far in 2018.

Blaming Red Hat for this one is deservedly fair, but let's not pretend 
that ISC needs Red Hat's help to create exploitable security bugs in 
their DHCP codebase.

That said, it's rather disingenuous to conflate this with anything to 
with systemd, as yes, this bug predates systemd's existance, and in any 
case does not involve the same individual contributors -- which brings 
me to another point.  Eeryone who's ever worked at Red Hat does not take 
marching orders from some overarching cabal any more than you or I hold 
the same opinions and motivations by virtue of subscribing to this 
mailing list or (once upon a time) living in the Atlanta Metro area.

Meanwhile, if systemd makes everything RH has ever done or will do 
irrecocably tainted, then you'd best get out of the Linux business 
entirely, because RH is the single largest corportate contributor to 
F/OSS in general -- not in the Google code dump over the wall manner, 
but by directly making or otherwise sponsoring significant 
upstream-first contributions to every layer of the stack [1], from the 
Linux kernel itself; to core GNU utilities -- including and especially 
GCC; to plumbing like KVM and container technologies; to rails, 
servlets, and other application environments; to user applications like 
LibreOffice.  They also sponsor a ton of hardware enablement and related 
infrastructure (networking, printing, graphics/compute, sound, plus 
non-obvious things like ACPI, standardized firmware updating tools, and 
refusing to support vendors that don't supply (and upstream) proper
drivers, which is really giving the various would-be ARM vendors 
serious conniption fits!)

[1] https://community.redhat.com/software/

 - Solomon
-- 
Solomon Peachy			       pizza at shaftnet dot org
Coconut Creek, FL                          ^^ (email/xmpp) ^^
Quidquid latine dictum sit, altum videtur.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://mail.ale.org/pipermail/ale/attachments/20180522/e262f2ae/attachment.sig>


More information about the Ale mailing list