McAfee Unhappy with Gentoo Security
Friday, 15. December 2006, 04:43:51
One of our developers noticed that a package in portage was failing a QA test, so they started working on removing it from the tree (due to license restrictions we cannot fix it). Although the developer who found it didnt realise it at the time, it turns out that the bug in question was a serious security problem.
The binary package (McAfee VirusScan for Linux) had set an DT_RPATH containing the working directory, this means that the program will search there for shared libraries, which is obviously a bad idea and means that if you invoke virusscan from the same working directory where the untrusted file you're trying to scan is, virusscan might actually execute it for you (this also applies to automated systems, such as mail scanners).
As the bug was already public (on gentoo-dev mailing list and on our publically accessible bugzilla), as soon as I realised it was a security issue we emailed McAfee to explain the problem and organised sending out an advisory as quickly as possible.
Well it turns out McAfee werent too happy with this and publically flamed us for not being proffessional or "responsible" and putting users in danger. Of course they're not responsible for selling flawed software, it's all our fault for finding the problem and informing them and our users about it.
They also completely failed to understand the nature of the bug (they say, "as the privilege of the executed code is not raised from the privileges of the executing user"...which makes no sense, and also "an attacker would have had to compromise the machine through another mechanism in order to place the malicious library on the system", which is just plain dumb.) but at least they acknowledged theres a problem.
The binary package (McAfee VirusScan for Linux) had set an DT_RPATH containing the working directory, this means that the program will search there for shared libraries, which is obviously a bad idea and means that if you invoke virusscan from the same working directory where the untrusted file you're trying to scan is, virusscan might actually execute it for you (this also applies to automated systems, such as mail scanners).
As the bug was already public (on gentoo-dev mailing list and on our publically accessible bugzilla), as soon as I realised it was a security issue we emailed McAfee to explain the problem and organised sending out an advisory as quickly as possible.
Well it turns out McAfee werent too happy with this and publically flamed us for not being proffessional or "responsible" and putting users in danger. Of course they're not responsible for selling flawed software, it's all our fault for finding the problem and informing them and our users about it.
They also completely failed to understand the nature of the bug (they say, "as the privilege of the executed code is not raised from the privileges of the executing user"...which makes no sense, and also "an attacker would have had to compromise the machine through another mechanism in order to place the malicious library on the system", which is just plain dumb.) but at least they acknowledged theres a problem.
Totally ridiculous considering this is coming from a company who specialise in SECURITY...
Keep up the great work
By anonymous user, # 15. December 2006, 04:15:05
read this on the list a hour ago, was shocked by it myself.
By anonymous user, # 15. December 2006, 04:20:02
While writing bad software places McAfee in dire straits, Gentoo does not look too good in the picture either. Publicly posting a vulnerability a few hours after informing McAfee, when this document:
http://www.gentoo.org/security/en/vulnerability-policy.xml
clearly states that Gentoo treats serious vulnerabilities as secret. Hmm... sketchy.
I believe companies should get a minimal timeframe to deal with serious flaws. Two or three days should be enough to either disable the failing functionality or issue a correcting patch and push it out through automated update. 9 hours provides no such window of opportunity. Might as well not warn McAfee at all.
By anonymous user, # 15. December 2006, 10:35:44
I believe that the fact why the issue was released publicly was that the Gentoo team already had made it available on the mailing-lists and bugzilla(, probably accidentally,) and tried to defend Gentoo users from that bug by letting them know that the bug exists...
By anonymous user, # 15. December 2006, 13:05:03
Just laugh in their face.
McAffee's response is completely ridiculous and further exposes them for incompetent idiots that they are.
I guess being accused of unprofessionalism by the least professional people in the industry is some kind of rite of passage.
By anonymous user, # 15. December 2006, 14:58:09
@Sérgio Carvalho,
I disagree; the bug was publically available and known for days before Gentoo even informed McAfee. McAfee is clearly at fault here, as for a *security* company, they should have known one of their products was reported vulnerable within an hour of the original public release.
By anonymous user, # 15. December 2006, 17:47:08
Wow, McAfee really knows how to make friends.
"Not following responsible disclosure places customers, both ours and
yours, at risk. You put them at risk because you did not allow us even
a customary amount of time to make a fix available."
I love how the information creates the vulnerability, not the software. I'm glad I'm not at McAfee customer.
Maybe david_coffey@mcafee.com could clarify that for us.
By anonymous user, # 15. December 2006, 22:34:43
And Gentoo is also good at making friends. "We cant be wrong because its not our software. We can do whatever we want."
By anonymous user, # 16. December 2006, 07:44:19
taas yksi osoitus kuinka pikkuiset pojat leikkii hiekkalaatikolla kun äiteet ei ole paikalla
By anonymous user, # 16. December 2006, 21:52:02
Mitä lienetkään tarkoittanut "hiekkalaatikolla", tuo on vain yksi esimerkki "yrityspolitiikasta". Siinä vain halutaan kertoa, että " Jos me teemme virheen/mokan/emme muista etc.. niin se on salaista tietoa".
By anonymous user, # 19. December 2006, 09:13:44