taviso

linux, programming and security

McAfee Unhappy with Gentoo Security

Friday, December 15, 2006 4:43:51 AM

,

One of our developers noticed that a package in portage was failing a QA test, so they started working on removing it from the tree (due to license restrictions we cannot fix it). Although the developer who found it didnt realise it at the time, it turns out that the bug in question was a serious security problem.

The binary package (McAfee VirusScan for Linux) had set an DT_RPATH containing the working directory, this means that the program will search there for shared libraries, which is obviously a bad idea and means that if you invoke virusscan from the same working directory where the untrusted file you're trying to scan is, virusscan might actually execute it for you (this also applies to automated systems, such as mail scanners).

As the bug was already public (on gentoo-dev mailing list and on our publically accessible bugzilla), as soon as I realised it was a security issue we emailed McAfee to explain the problem and organised sending out an advisory as quickly as possible.

Well it turns out McAfee werent too happy with this and publically flamed us for not being proffessional or "responsible" and putting users in danger. Of course they're not responsible for selling flawed software, it's all our fault for finding the problem and informing them and our users about it. rolleyes

They also completely failed to understand the nature of the bug (they say, "as the privilege of the executed code is not raised from the privileges of the executing user"...which makes no sense, and also "an attacker would have had to compromise the machine through another mechanism in order to place the malicious library on the system", which is just plain dumb.) but at least they acknowledged theres a problem.

full-disclosure flamewarQuick Security Auditing Puzzle

Comments

Anonymous Friday, December 15, 2006 4:15:05 AM

Daniel Drake writes: Totally ridiculous considering this is coming from a company who specialise in SECURITY... Keep up the great work

Anonymous Friday, December 15, 2006 4:20:02 AM

gregf writes: read this on the list a hour ago, was shocked by it myself.

Anonymous Friday, December 15, 2006 10:35:44 AM

Sérgio Carvalho writes: While writing bad software places McAfee in dire straits, Gentoo does not look too good in the picture either. Publicly posting a vulnerability a few hours after informing McAfee, when this document: http://www.gentoo.org/security/en/vulnerability-policy.xml clearly states that Gentoo treats serious vulnerabilities as secret. Hmm... sketchy. I believe companies should get a minimal timeframe to deal with serious flaws. Two or three days should be enough to either disable the failing functionality or issue a correcting patch and push it out through automated update. 9 hours provides no such window of opportunity. Might as well not warn McAfee at all.

Anonymous Friday, December 15, 2006 1:05:03 PM

Anonymous writes: I believe that the fact why the issue was released publicly was that the Gentoo team already had made it available on the mailing-lists and bugzilla(, probably accidentally,) and tried to defend Gentoo users from that bug by letting them know that the bug exists...

Anonymous Friday, December 15, 2006 2:58:09 PM

Anonymous writes: Just laugh in their face. McAffee's response is completely ridiculous and further exposes them for incompetent idiots that they are. I guess being accused of unprofessionalism by the least professional people in the industry is some kind of rite of passage.

Anonymous Friday, December 15, 2006 5:47:08 PM

Anonymous writes: @Sérgio Carvalho, I disagree; the bug was publically available and known for days before Gentoo even informed McAfee. McAfee is clearly at fault here, as for a *security* company, they should have known one of their products was reported vulnerable within an hour of the original public release.

Anonymous Friday, December 15, 2006 10:34:43 PM

Anonymous writes: Wow, McAfee really knows how to make friends. "Not following responsible disclosure places customers, both ours and yours, at risk. You put them at risk because you did not allow us even a customary amount of time to make a fix available." I love how the information creates the vulnerability, not the software. I'm glad I'm not at McAfee customer. Maybe david_coffey@mcafee.com could clarify that for us.

Anonymous Saturday, December 16, 2006 7:44:19 AM

Anonymous writes: And Gentoo is also good at making friends. "We cant be wrong because its not our software. We can do whatever we want."

Anonymous Saturday, December 16, 2006 9:52:02 PM

Anonymous writes: taas yksi osoitus kuinka pikkuiset pojat leikkii hiekkalaatikolla kun äiteet ei ole paikalla

Anonymous Tuesday, December 19, 2006 9:13:44 AM

Anonymous writes: Mitä lienetkään tarkoittanut "hiekkalaatikolla", tuo on vain yksi esimerkki "yrityspolitiikasta". Siinä vain halutaan kertoa, että " Jos me teemme virheen/mokan/emme muista etc.. niin se on salaista tietoa".

Anonymous Wednesday, December 16, 2009 7:44:31 PM

Аноним writes: Good model dissertation about this topic finished by buy thesis service or custom dissertation service must be a very good move to the academic degree.

Anonymous Thursday, February 4, 2010 12:28:28 AM

Аноним writes: Thanks for the knowledge just about this topic and buy an essay about this at trustworthy writing service.

Anonymous Wednesday, April 14, 2010 4:38:32 PM

ÐнонÑмний writes: According to my own analysis, thousands of people in the world receive the credit loans from good creditors. Therefore, there is good possibilities to find a car loan in all countries.

Anonymous Saturday, October 9, 2010 8:46:32 PM

Анонімний writes: Some time ago, I needed to buy a building for my firm but I didn't earn enough money and couldn't order anything. Thank God my mate adviced to try to get the credit loans from reliable bank. Thence, I acted so and used to be happy with my auto loan.

Anonymous Wednesday, August 24, 2011 6:38:40 PM

Анонімний writes: People deserve wealthy life and home loans or just student loan can make it much better. Because people's freedom relies on money.

How to use Quote function:

  1. Select some text
  2. Click on the Quote link

Write a comment

Comment
(BBcode and HTML is turned off for anonymous user comments.)

If you can't read the words, press the small reload icon.


Smilies