[rsbac] Re: rsbac 1.2.3

by way of Amon Ott <ao at rsbac.org> spender at grsecurity.net
Tue Jun 29 15:06:20 CEST 2004


On Tue, Jun 29, 2004 at 08:52:35AM +0200, Amon Ott wrote:
> Hi Brad!
> 
> On Dienstag, 29. Juni 2004 00:02, spender at grsecurity.net wrote:
> > I would like credit for discovering the jail vulnerabilities that you 
> > recently fixed.  I would also like credit for the regression suite that 
> 
> Since you only claimed to others that there might be some, but did not 
tell 
> any details or proof anything, I will take the credit myself for finding 
> and fixing them. 

No, not that there might be some, but that there ARE (and still are) 
several.  I gave them the code to find these *vulnerabilities* even with 
instructions on how to modify it to test with RSBAC.  What the else do 
you want?  You want me to fix your vulnerabilities too?

It was considered a vulnerability when grsecurity didn't protect against 
a certain method of modifying the kernel for which it had an option to 
protect against other methods, and this method could be protected 
against by default by using the RBAC system.  Don't try to hide the 
facts of it being a vulnerability by assuming that everyone is going to 
use all the modules of RSBAC.  If you say you're providing a "jail" 
environment, and I can easily execute code outside of that "jail," it's 
a vulnerability.  Don't try to spin this.  CVE and every other database 
will happily make an entry for each one of the vulnerabilities.  Bugtraq 
and every other mailing list will happily recognize it as a 
vulnerability.

> The code has been taken from a project, which I thought to release free 
> software only, and has been modified for RSBAC use. If this is not the 
> case, I will remove the code and make a public statement about the 
mistake 
> about an unclear licence.

The license has been modified to read as follows:

All code in this directory is (c) Brad Spengler, 2004
Because RSBAC developers blatantly rip code unlawfully and do not give
credit for reporting multiple vulnerabilities in their system, this code
may not be modified or redistributed.  It may be used only for the
purposes of verifying a grsecurity installation where RSBAC is not 
present in the kernel.

> I would be glad to get any of your claims detailed and proved instead of 
> making unproven claims. If you think it fine to release bugs to the 
public 
> instead of notifying the authors, this is something I would classify as 
> dishonest.

Again, as seen from above, I did more than my share to report these 
holes.  If i had not, how would you have found them?  Are you also 
claimining to have not found them by using my code?  Just because you 
don't like someone's method of reporting vulnerabilities doesn't give 
you the right to be a jackass.  In fact, I had even discussed the 
vulnerabilities in explicit terms on IRC with albeiro.  It's hilarious 
to me when I discover multiple vulnerabilities in someone's system and 
they still think I'm lying about there being additional holes.

> Please reread your previous paragraph to find another unproven claim, 
which 
> should rather be shown to the author. BTW, you seem to be missing one 
> fact: JAIL is not all of RSBAC - it is a convenient, but not an important 
> module.

And you seem to be missing one fact.  JAIL can be used by itself.  It is 
supposed to provide jail functionality.  If it does not do what you 
claim it to do, it is a vulnerability.  Stop spinning this to avoid bad 
publicity.

Since you've been unwilling to do the honest thing in spite of the 
facts, I have no choice but to file separate CVE and OSVB records for 
each of the vulnerabilities, and notify all security lists.  You may not 
take the security of your users seriously, but I do.

-Brad




More information about the rsbac mailing list