Vulneratbility - Slackware can be compromised - all versions affected
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It would have helped if crts would have contacted Pat instead of posting here first with all the drama. Then perhaps this whole thread would have not happened.
Yes. As I said above this is certainly *not* how found vulnerabilities should be handled. Only creates FUD and without any real value.
But at least we all learned you were on a blacklist!
Thanks for your dedication and have a nice weekend!
It will be interesting to me to see if OP ever posts here again given the (justified) negative responses. Not many people learn how to accept their own mistakes as important steps in a learning process, and admit to them. I'm not certain if that is more prevalent IRL where it's actually face-to-face with some you will see again or online where one can just fade away anonymously.
I hope if OP was actually serious and skilled enough to find even some minor vulnerability that he has the cajones and mental strength to just explain he was excited, overreacting, confused, or whatever led him to post in such a manner. Hopefully he learns that as Carl Sagan stated "Extraordinary claims require extraordinary evidence" so it should be a given that mere hints "the sky is falling" will be greeted by extreme skepticism.
It will be interesting to me to see if OP ever posts here again given the (justified) negative responses.
Setting aside whatever weird issues he apparently has with Eric, this thread should have been:
#1 "I think I've found a vulnerability... Who do I tell?"
#2 "Email Pat".
end-of-thread.
IMO the subsequent dog-piling was neither justified, nor helpful.
Setting aside whatever weird issues he apparently has with Eric, this thread should have been:
#1 "I think I've found a vulnerability... Who do I tell?"
#2 "Email Pat".
end-of-thread.
IMO the subsequent dog-piling was neither justified, nor helpful.
True, but, the OP provoked the escalation by being critical of Eric in the first post. There was no need to do that. I'm glad that the team is in contact with the OP. I'm also grateful that the OP notified us about the potential vulnerability.
That's bullshit. Instead of making big mysterious eyes OP should post what is about. Slackware by itself does not provide any advanced administration tools. The only place where vulnerability may appear are startup scripts, pkgtools, mkinitrd, slackpkg - probably I missed one or more. Besides that vulnerabilities come directly from application - so authors of application should be addressed - not Slackware. In other words these are only possible points where admin cannot address vulnerability by itself. I mean I can stop to slackpkg - but if it is deeper - how to stop to use pkgtools? Just build manually and
Code:
# make install
tools are made to help not to free from thinking (probably I should add here morons - but mod for sure will kick my ass- so I omit this one).
Edit: OP should state explicitly so people can do something by themselves instead of now sitting and trying to guess what is about - and wait for fix(?) If there is really vulnerability in Slackware - as well OP installation can be broken.
If vulnerability concerns only Slackware - then it must be only at points where Slackware differs from other Linuxes. And the first thing what OP does not understand is that telling that some accidental person found vulnerability is completely enough for most real hackers. It is as valuable as just straightforward describe what is it. Even worse - cause real hackers would have now great advantage - they would quickly find what is it about. But we are here sitting and trying to guess what is it. While hackers are working now. So this why all this is bullshit. From OP post it sounds like it was mistake - error - made by OP - but not being trapped by script - and causing some strange behavior. Bash functionality may cause troubles - bash has too many capabilities to be secure. File names may cause serious troubles. It sound like OP never really cared about to secure its installation. Now something broke down and Slackware is guilty. I really would be glad to hear from OP what she/he thinks is secure system.
The problem with "Full disclosure" is that not everyone has the skills to mitigate the problem until the fix arrives. Also, those that do have the skill might not become aware of the disclosure announcement.
The problem with 'responsible disclosure' is that those whom do have the skills to mitigate are left vulnerable for longer.
"Full" vs "Responsible" is an argument almost as old as folks have been talking about vulnerability announcements, and neither option is ideal.
BTW, I wouldn't worry about pkgtools: they're inherently insecure by design (doinst.sh run as root), so there's really no need for anyone to figure out sneaky ways to compromise them.¹
----
¹ This is why one should always gpg verify your package signatures before use.
What is unfortunate is the post itself
- no one reports a vulnerability in this way
- no one chooses who should answer or not
- no one leaves a vulnerability report, however critical it is, without any update for 8 days
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.