I find it quite amusing how quickly people jump the gun on things and start spreading FUD without bothering to talk to the people involved. I suppose that’s the creative license that having a blog entitles people, but it still irks me because in a lot of cases it’s completely unfounded and could easily be cleared up with a simple email question.
I was wandering around and found Battle of the Titans: Mandriva 2008 vs OpenSUSE 10.3. Interesting read; I like how Mandriva comes out on top although there are definitely areas we can improve upon. But what else is new? Every distro has areas that can be improved upon.
Anyways, in the comments I’m reading: “the sad part is an unexpected secrecy in Mandriva”, which refers to a bug aliased as CVE-2007-2834, for which the individual didn’t have access to. Of course, he starts a FUD-based tirade on his own blog Planete Beranger. And this is where the fun begins.
At this point, Beranger decides to go on a tirade about hidden bug reports. Good thing Adam is around to smack some sense into him (I’m assuming Beranger is a him, but I don’t really know). He has some nice nuggets like:
Anyway, the sad part is an unexpected secrecy with Mandriva: try a search for http://qa.mandriva.com/show_bug.cgi?id=CVE-2007-2834 and you will get a blunt: You are not authorized to access bug #33759. Huh?! And indeed, the access to http://qa.mandriva.com/show_bug.cgi?id=33759 is denied! I very much dislike this huge blunder from Mandriva’s part: are they trying to play Microsoft, or what?! Hiding bug reports is unacceptable!
Hmmm… well, if he would have bothered to ask anyone, he would have had his answer fairly quickly as to what the deal with that report is. The contents of this bug report is, exactly:
Description: [reply] Opened: 2007-09-19 17:06 CEST Private Name: CVE-2007-2834 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2834 Reference: IDEFENSE:20070917 Multiple Vendor OpenOffice TIFF File Parsing Multiple Integer Overflow Vulnerabilities Reference: URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=593 Reference: CONFIRM: http://www.openoffice.org/security/cves/CVE-2007-2834.html Reference: DEBIAN:DSA-1375 Reference: URL: http://www.debian.org/security/2007/dsa-1375 Reference: BID:25690 Reference: URL: http://www.securityfocus.com/bid/25690 Integer overflow in the TIFF parser in OpenOffice.org (OOo) before 2.3 allows remote attackers to execute arbitrary code via a TIFF file with crafted values of unspecified length fields, which triggers allocation of an incorrect amount of memory, resulting in a heap-based buffer overflow. ———- Comment #1 From Vincent Danen 2007-09-20 19:07:11 CEST [reply] ———- Private Fixed.
Pretty spicy stuff, no? In fact, if you looked it up on MITRE’s website, entry CVE-2007-2834 you’ll see the same thing (minus the “Fixed” comment). In fact, you’ll see more.
Oh, and lookee here, you’ll also see this:
MANDRIVA:MDKSA-2007:186 URL:http://www.mandriva.com/security/advisories?name=MDKSA-2007:186
And what happens when you follow that link? Well, you get to see that it was fixed in CS3, 2007.0, and 2007.1. Doesn’t indicate 2008, of course, because it was fixed when 2008 was cooker, thanks to this (public) report: Bugzilla bug #33824.
Now, of course, all of this could have been settled with a simple email. Instead, this Beranger fellow starts spreading FUD, looks like he’s seriously lacking in the investigation skills department, and generally makes a fool of himself.
So, what’s the deal with the private bug report? Well, it’s 1) boring and 2) an internal tracker. Yes, the security team uses bugzilla to track issues we need to deal with. Are these safe for public consumption? Sometimes. Are they interesting to the public? Not really. I think the result is more interesting. For instance, I think that the actual advisory, MDKSA-2007:186, would be far more interesting than a bug report that’s essentially a carbon-copy of the original CVE entry. Now, in this case, perhaps bug #33824 could have had the alias CVE-2007-2834 as it was issued to resolve only one bug.
So, what do we do when an advisory deals with more than one CVE or issue? We can’t give one bug two different aliases. So, let’s look at bug #34610 (libvorbis). If you look at the dependencies, you’ll see bugs #33871 and #33872. Both are private. Both have aliases for the two CVE’s fixed in that advisory. Both use them as aliases. Sure, I could remove the aliases from the CVE-entry-clone-reports, but I can’t assign both to one bug. Or what about the kernel? Or firefox?
My point is, internal tracking bugs have absolutely no relevance to anyone outside of the security team, so no, I don’t see the point in making them public, even after they’re dealt with. It’s nothing more than a glorified TODO list. The advisory itself, and the associated bug report, are important… both of those are public. We’re not trying to hide any details… those details can be found in a dozen places: the public bugzilla advisory report, the official advisory on the website, the security-announce mailing list, the CVE dictionary, NVD, Secunia, Bugtrack (the website and the mailing list), the full-disclosure mailing list… the list goes on.
This fellow should have done a bit more research before starting in on his conspiracy theory. It was both amusing and infuriating… amusing at his ignorance, infuriating that he would start the FUD train without even firing off a simple email saying “wtf guys, this bug is private?!?”. An easy explanation could have been given and the FUD train wouldn’t have left the station.
It’s nice to see both Adam and Fabrice straighten this guy out in comments on his blog, and Fabrice made his own blog post regarding it to.
Fabrice said it quite well: “So next time guys, get your facts ;)”
I agree with that sentiment whole-heartedly.