2018-06-17 20:13:45 +00:00
|
|
|
I'm writing this on a private branch, it won't be posted until a week from
|
|
|
|
now when the security hole is disclosed.
|
|
|
|
|
|
|
|
Security is not compositional. You can have one good feature, and add
|
|
|
|
another good feature, and the result is not two good features, but a new
|
|
|
|
security hole. In this case
|
2021-06-21 17:10:13 +00:00
|
|
|
[[security/CVE-2018-10857_and_CVE-2018-10859|CVE-2018-10857]].
|
2018-06-21 18:50:20 +00:00
|
|
|
And it can be hard to spot this kind of security hole, but then once it's
|
|
|
|
known it seems blindly obvious.
|
2018-06-17 20:13:45 +00:00
|
|
|
|
|
|
|
It came to me last night and by this morning I had decided the potential
|
|
|
|
impact was large enough to do a coordinated disclosure. Spent the first
|
|
|
|
half of the day thinking through ways to fix it that don't involve writing
|
|
|
|
my own http library. Then started getting in touch with all the
|
|
|
|
distributions' security teams. And then coded up a fairly complete fix for
|
|
|
|
the worst part of the security hole, although a secondary part is going to
|
|
|
|
need considerably more work.
|
|
|
|
|
|
|
|
It looks like the external special remotes are going to need at least some
|
|
|
|
security review too, and I'm still thinking that part of the problem over.
|
|
|
|
|
|
|
|
Exhausted.
|
|
|
|
|
|
|
|
Today's work was sponsored by Trenton Cronholm
|
|
|
|
[on Patreon](https://patreon.com/joeyh).
|
|
|
|
|
|
|
|
[[!meta date="Jun 15 2018 7:00 pm"]]
|