How dangerous is releasing CVEs before developing fixes?

K

kjpetrie

Today it's finally happened. The upstream maintainer of the port we know as textproc/libxml2 has carried out his threat to release vulnerability information into the wild without mitigating it "so others can contribute patches". Thus he has created zero-day opportunities for cracking/hacking by publicising exploitable weaknesses. Given the number of applications depending on his library, has he just endangered the entire Internet infrastructure? If his action will enable malicious foreign governments and terrorists to attack states or other targets, how many countries' security laws is he likely to have violated?
 
Well, how come that a pillar of the entire internet infrastructure have like 0 support from company ?
The software is provided as-is, there is no commercial contract between the maintainer and big company.
It is like everybody is getting free food, and expect the maintainer to do all the work alone when it is a security issue.

No country law is violated, since last time I check, there is no sale of libxml2. This is the jobs of people that profit from the maintainer work that would be liable since they have to do the work on the software billing of material (SBOM).

This is open-source software written by hobbyists, maintained by a single volunteer, badly tested, written in a memory-unsafe language and full of security bugs. It is foolish to use this software to process untrusted data.
As such, we treat security issues like any other bug. Each security report we receive will be made public immediately and won't be prioritized.
Click to expand...
 
I noticed that - while not being able to apply 2023Q3 and -at least for a moment- get no security alerts.
It would be helpful if you had mentioned some of the rationale behind that upstream maintainer's decision (if known, anyway).

Let's do a very basic reality check:

I remember a time (last century) when FreeBSD committers were proud to mention they have their private backdoors in the OS code. Nobody bothered - at that time we all were indeed a community.

Only later on this big security paranoia did develop, and nowadays it seems nobody cares anymore about software malfunctions unless there is some security concerned. And only then did appear this idea that security issues should not be published, so that we are no longer a community, but divided in secrecies.

Lets try and understand how this came. There was also a time when people did not bother to lock their front doors, because the all were basically the same and nobody had much to steal from. Only later on people became so filthy rich they got paranoid and started to lock their doors.

Se we might conclude, the appearance of the big paranoia has nothing to do with the computers themselves, but rather with them being abused to make money. And therefore we should not talk about security, but about the money. Because the money is stolen.

Lets answer the question: why did these big internet corps ("faang") grow so incredibly big? Because, unlike other corps, they did not need to build up infrastructure (like factories, distribution paths, resellers, etc.), as it was already there. We had built it for them, back in the last century, when we still were a community. They only needed to use it and start making money from it. Stolen money.

A few people other than me seem to already have noticed that there is no systemic difference betwenn a government and organized crime. Their identical purpose is just to protect one group of thieves from another.

So then, lets finally answer the questions:

kjpetrie said:
Given the number of applications depending on his library, has he just endangered the entire Internet infrastructure?
Click to expand...
No, he has just given us an opportunity for a reality check of what the internet once was, and what has become of it.

kjpetrie said:
If his action will enable malicious foreign governments and terrorists to attack states or other targets, how many countries' security laws is he likely to have violated?
Click to expand...
This is irrelevant, because the implied differenciation between "malicious foreign governments" and "countries' security laws" is propaganda babble and warmongery. All governments the same are just doing their task of protecting their own thieves.

The old internet of the last century did not need governments for protection. In fact the governments had no idea about it. They still don't, they just do what the thieves tell them to do.
 
monwarez said:
the software billing of material (SBOM).
Click to expand...

Okay, I hit that piece of bullshit-bingo for the second time now. A software cannot have a "bill of material" simply because it is not material - so this one is even bullshit in it self!

So what is it about: the thieves apparently have noticed that they did not even bother what they mix together into their rip-off-recipes, and then they seemed to understand that that might be a problem. :/
 
Big Tech got their free lunch served to them and they should contribute more .

Worse than entitled users are entitled governments and corporations.
 
If the libraries (here, libxml2) are NOT needed to be "ported" on all platforms (OS'es) but simply rebuilding / relinking is sufficient, announcements AFTER the libraries themselves are fixed.

If any porting efforts are needed on some platform and the upstream knows about it, informing downstream security officers BEFORE releasing CVE and give time to port should be needed. But this would need 2 separate source code repos, one for "public to everyone" and one for internal + downstream security officers only.
 
I agree and I sympathise with the problem and the developer. Unfortunately, being free to walk away and refuse to maintain something is not the same as disclosing publicly opportunities to threaten business or critical infrastructure. One is a matter of civil law and the other is potentially criminal even up to the level of treason. What we think of governments is by the by. What governments think of this action is what will matter in practice.

I don't think he understands what he has done.
 
SirDice said:
That opportunity was already there.

You assume they didn't know about this bug before it was announced?
Click to expand...
I assume governments won't like them being more widely publicised.

I expect many competent intelligence agencies might already have known what Edward Snowden released. It still got him into trouble.
 
kjpetrie said:
I agree and I sympathise with the problem and the developer. Unfortunately, being free to walk away and refuse to maintain something is not the same as disclosing publicly opportunities to threaten business or critical infrastructure. One is a matter of civil law and the other is potentially criminal even up to the level of treason. What we think of governments is by the by. What governments think of this action is what will matter in practice.

I don't think he understands what he has done.
Click to expand...
He just showed the world what kind of person he is and therefore he can be assured that no one will ever hire him to do any kind of work.

Edit: language cleanup.
 
kjpetrie said:
I agree and I sympathise with the problem and the developer. Unfortunately, being free to walk away and refuse to maintain something is not the same as disclosing publicly opportunities to threaten business or critical infrastructure.
Click to expand...
It's always interesting to know which groups tend to be "threatened" by honesty.

kjpetrie said:
One is a matter of civil law and the other is potentially criminal even up to the level of treason.
Click to expand...
There might indeed be governments which consider the defiance of slavery and forced labour as "treason".

kjpetrie said:
I don't think he understands what he has done.
Click to expand...
Then maybe we should support him.
 
kjpetrie said:
Today it's finally happened. The upstream maintainer of the port we know as textproc/libxml2 has carried out his threat to release vulnerability information into the wild without mitigating it "so others can contribute patches". Thus he has created zero-day opportunities for cracking/hacking by publicising exploitable weaknesses. Given the number of applications depending on his library, has he just endangered the entire Internet infrastructure? If his action will enable malicious foreign governments and terrorists to attack states or other targets, how many countries' security laws is he likely to have violated?
Click to expand...
Links to this? What's the source?
 
Hm, a 10second lookup on github: https://github.com/GNOME/libxml2

Quote:
"Security
This is open-source software written by hobbyists, maintained by a single volunteer, badly tested, written in a memory-unsafe language and full of security bugs. It is foolish to use this software to process untrusted data. As such, we treat security issues like any other bug. Each security report we receive will be made public immediately and won't be prioritized.
"

Great wake up call.
 
  • Thanks
Reactions: PMc
BjarneB said:
Hm, a 10second lookup on github: https://github.com/GNOME/libxml2

Quote:
"Security
This is open-source software written by hobbyists, maintained by a single volunteer, badly tested, written in a memory-unsafe language and full of security bugs. It is foolish to use this software to process untrusted data. As such, we treat security issues like any other bug. Each security report we receive will be made public immediately and won't be prioritized.
"

Great wake up call.
Click to expand...
Reminds me of several of the other major bugs, where openssl and gnupg were maintained by a single person living with their parents.

I'm tired of seeing large companies rip off open source devs.

Redhat was purchased for $34 billion. How come they don't have a profit sharing agreement for all the contributors in their packages? It's high time a distro compensated those making the packages.
 
kjpetrie said:
I agree and I sympathise with the problem and the developer. Unfortunately, being free to walk away and refuse to maintain something is not the same as disclosing publicly opportunities to threaten business or critical infrastructure. One is a matter of civil law and the other is potentially criminal even up to the level of treason. What we think of governments is by the by. What governments think of this action is what will matter in practice.

I don't think he understands what he has done.
Click to expand...
It's not the first time it happens. It's called full disclosure.

And there's nothing they can do about it. Read the license:

github.com

libxml2/Copyright at master · GNOME/libxml2

Read-only mirror of https://gitlab.gnome.org/GNOME/libxml2 - GNOME/libxml2
github.com github.com

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND ...
 
BjarneB said:
Hm, a 10second lookup on github: https://github.com/GNOME/libxml2
Click to expand...
Thanks. I didn't find it at first glance.

BjarneB said:
Quote:
"Security
This is open-source software written by hobbyists
Click to expand...
So apparently I was right.

For some time I was wondering about the hysterical replacement of words like "master" and "slave", in named/BIND and other pieces of software. Because, any average person in their sane mind would understand the difference between a technical hierarchy of functionality, and actual slavery of human beings; and therefore that whole hysterical replacement is just pointless.
With one possible exception, and that is: if you are a slave-driver yourself, and cannot stand being reminded of that fact.

Therefore this all does not come as a surprize to me.

But, it will not help: the greedy ones will only get more violent. :(
 
Honestly I don't know why so many people used libxml2. The code has never been good. Rip it out and replace it with better.

Do any popular network facing daemons use it?
 
cracauer@ said:
What is better? Xerxes isn't.
Click to expand...
Xerxes certainly isn't. Nothing that heavy could be safe against untrusted data.

For C++ pugixml is decent in terms of security. The pimpl idiom throughout helps for memory issues (and as a bonus, makes it hard for the Rust people to bind against).
cracauer@ said:
No, but many applications put it first thing forward on the network connection.
Click to expand...
They shouldn't. It never claimed to be safe against untrusted data.
 
You must log in or register to reply here.
Back
Top