Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Monday July 31 2017, @05:01AM   Printer-friendly
from the imminent-recursion dept.

The 2017 Pwnie winner for lamest vendor response goes to Lennart Poettering for systemd. According to CSO which has reported on it, the Pwnie winners which were announced a few days ago, the summary for Lennart and systemd reads as follows:

The most spectacular mishandling of a security vulnerability by a vendor ended up winning a Pwnie for Lennart Poettering due to SystemD bugs 5998, 6225, 6214, 5144, 6237. The nomination reads: "Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message. But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!"


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Monday July 31 2017, @05:13AM (43 children)

    by Anonymous Coward on Monday July 31 2017, @05:13AM (#546987)

    In the end, it's Readhat pulling all the strings, but it's poettering that gets all the hate. Why? Because the dubmfuck is a moron and doesn't know it. Or maybe he does, but feels the paycheck is worth it.

  • (Score: 2) by RamiK on Monday July 31 2017, @05:59AM (27 children)

    by RamiK (1813) on Monday July 31 2017, @05:59AM (#546998)

    He's smart enough to understand making a good design with security in mind is exactly what his employers are trying to avoid.

    That's the trouble with tools from the service industry. They're designed to need constant servicing. And being fair, I don't see a lot of software in the UNIX verse that just does its job and doesn't need constant tinkering.

    --
    compiling...
    • (Score: 5, Touché) by PiMuNu on Monday July 31 2017, @07:32AM (26 children)

      by PiMuNu (3823) on Monday July 31 2017, @07:32AM (#547018)

      > I don't see a lot of software in the UNIX verse that just does its job

      sed
      grep
      awk
      cat
      emacs
      bash
      etc etc

      I guess unix-verse is still targeted at people who prefer a command line to a GUI.

      • (Score: 5, Funny) by FakeBeldin on Monday July 31 2017, @07:41AM (7 children)

        by FakeBeldin (3360) on Monday July 31 2017, @07:41AM (#547023) Journal

        ...
        emacs
        ...

        You misspelled "vi" ;-)

        • (Score: 3, Funny) by zocalo on Monday July 31 2017, @08:19AM (3 children)

          by zocalo (302) on Monday July 31 2017, @08:19AM (#547031)
          To be fair, there isn't a decent spell checker on the list. :)
          --
          UNIX? They're not even circumcised! Savages!
          • (Score: 2) by KGIII on Monday July 31 2017, @10:42AM (2 children)

            by KGIII (5261) on Monday July 31 2017, @10:42AM (#547078) Journal

            Not even a good editor is on the list! ;-)

            --
            "So long and thanks for all the fish."
            • (Score: 0) by Anonymous Coward on Monday July 31 2017, @04:27PM (1 child)

              by Anonymous Coward on Monday July 31 2017, @04:27PM (#547227)

              sed -r -i -e 's/^Not even a good.*/what about sed?/g' parent-comment

              • (Score: 2) by KGIII on Monday July 31 2017, @04:53PM

                by KGIII (5261) on Monday July 31 2017, @04:53PM (#547244) Journal

                'just does its job' == 'good'

                emacs is a lovely OS, but a horrible editor. I'm pretty sure people use it only because they haven't figured out how to exit it. ;-)

                --
                "So long and thanks for all the fish."
        • (Score: 0) by Anonymous Coward on Monday July 31 2017, @03:18PM (1 child)

          by Anonymous Coward on Monday July 31 2017, @03:18PM (#547185)

          I think that's spelled 'M-x vim-mode'

          • (Score: 0) by Anonymous Coward on Monday July 31 2017, @03:21PM

            by Anonymous Coward on Monday July 31 2017, @03:21PM (#547188)

            My bad, it's actually
            'M-x evil-mode' now (Extensible VI Layer, heh, must... not.. like... bad... puns... nope, can't help it :) )

        • (Score: 2) by Azuma Hazuki on Monday July 31 2017, @06:13PM

          by Azuma Hazuki (5086) on Monday July 31 2017, @06:13PM (#547278) Journal

          And *you* misspelled "nano" :)

          --
          I am "that girl" your mother warned you about...
      • (Score: 5, Insightful) by ledow on Monday July 31 2017, @08:13AM (3 children)

        by ledow (5567) on Monday July 31 2017, @08:13AM (#547030) Homepage

        Yep.

        Those small, modular, single-purpose commands that tend to work in perpetuity. Hell, I have a entire book on my shelf that describes the way that sed & awk can be used, and yet they are tiny and have barely changed in years.

        And only change when NEW TYPES of attack come out (which is basically never if all you do it cat a given file to the screen, or act on stdin to output on stdout).

        Gosh, I wonder why they were designed that way, rather than a hulking great thing that takes over all functions, inserts itself into critical code paths, reinvents the wheel badly, and offers all kinds of opportunities for misconfiguration, bad defaults (you wanted root, right?) and untested codepaths.

        The irony is that systemd is possibly the antithesis of every bit of security-related advice anyone has ever given.

        I blame Red Hat as much as Lennart, for allowing it to continue.

        • (Score: 2) by tonyPick on Monday July 31 2017, @08:29AM

          by tonyPick (1237) on Monday July 31 2017, @08:29AM (#547034) Homepage Journal

          +1 to this - Yes, using grep/sed/whatever from command line has a learning curve. I went through it in the mid 90's, and it's gained a couple of flags, but it's still all pretty much the same when it comes to getting useful work done.

          Meanwhile you have to relearn the interface for shiny GUI toy of the month, which will be thrown away every six months, and is still less functional.

        • (Score: 1, Informative) by Anonymous Coward on Monday July 31 2017, @09:03AM (1 child)

          by Anonymous Coward on Monday July 31 2017, @09:03AM (#547048)

          which is basically never if all you do it cat a given file to the screen

          You don't cat a file to the screen, you cat it to a terminal. And doing so with text from unknown origin may well be a security problem:
          https://nvd.nist.gov/vuln/detail/CVE-2003-0063 [nist.gov]
          https://nvd.nist.gov/vuln/detail/CVE-2008-2383 [nist.gov]
          https://nvd.nist.gov/vuln/detail/CVE-2010-2713 [nist.gov]
          https://nvd.nist.gov/vuln/detail/CVE-2012-3515 [nist.gov]
          https://nvd.nist.gov/vuln/detail/CVE-2014-3121 [nist.gov]

          Note that less by default converts those escape sequences to safe text, so it is a safer way to view text files.

          • (Score: 5, Insightful) by ledow on Monday July 31 2017, @11:13AM

            by ledow (5567) on Monday July 31 2017, @11:13AM (#547089) Homepage

            Those are:

            XTerm
            XTerm
            VTE
            QEmu
            and rxvt

            DATA HANDLING ISSUES. Nothing to do with cat. It's like saying that "Apache" compromised your database because an employer put the whole list in a public_html folder.

            And cat is dumb - it's the things that try to get clever and interpret data (e.g. terminals, less, etc.) that are the ones most likely to cause the problems. Acting on untrusted data is something that no program should mess with lightly. These programs did it and got it wrong. cat doesn't try. Which is why the CVEs listed have nothing to do with cat, but what happens when you put an escape sequence FROM ANY SOURCE into XTerm, etc. without checking it properly first.

      • (Score: 2) by TheRaven on Monday July 31 2017, @08:39AM (2 children)

        by TheRaven (270) on Monday July 31 2017, @08:39AM (#547037) Journal
        I'll give you cat, but the others have all had some pretty important bug fixes in the last few years. Bash was a really bad example: remember Shellshock?
        --
        sudo mod me up
        • (Score: 2) by PiMuNu on Monday July 31 2017, @10:18AM (1 child)

          by PiMuNu (3823) on Monday July 31 2017, @10:18AM (#547073)

          A couple of other people made the same comment. I would put security issues as a corner case, because they pertain to web servers - which is not the majority of users (well, pre-IOT at least).

          • (Score: 3, Insightful) by TheRaven on Monday July 31 2017, @01:49PM

            by TheRaven (270) on Monday July 31 2017, @01:49PM (#547137) Journal
            Shellshock didn't just pertain to web servers, any laptop user could have an attacker run arbitrary code as root in response to a DHCP packet.
            --
            sudo mod me up
      • (Score: 2) by RamiK on Monday July 31 2017, @10:17AM (3 children)

        by RamiK (1813) on Monday July 31 2017, @10:17AM (#547072)

        Coreutils takes heavy maintenance: https://git.savannah.gnu.org/cgit/coreutils.git/log/ [gnu.org]

        Busybox are doing better but at the expense of features that people want.

        unix-verse is still targeted at people who prefer a command line to a GUI.

        Unless you use ed to edit all your text and "wget --post-data=foobar" to browser the web, you're not using a command line app. Vi... emacs... w3m... Those aren't command line apps. Those are just easy-to-code ugly-as-sin terminal GUIs.

        Don't get me wrong. I use those cli tools too. But it's not a preference. It's laziness. It gets the job done and doesn't take too much to fix. But it's still using the wrong tool for the job and when it comes to the whole system approach, it's a mistake. A market failure if you will. But not one I can fix. Just one I can identify.

        --
        compiling...
        • (Score: 2) by PiMuNu on Monday July 31 2017, @11:23AM (2 children)

          by PiMuNu (3823) on Monday July 31 2017, @11:23AM (#547093)

          > But it's still using the wrong tool for the job and when it comes to the whole system approach, it's a mistake.

          For data processing and coding, CLI tools are correct. Most of my CPU cycles are spent doing this stuff. Most of my user cycles are spent writing code and making presentations, and here I agree a GUI is better approach.

          > A market failure if you will.

          Totally agree here. If I was in charge of linux (whatever that means) I would dump my spare resource into fixing open office... clearly this is the blocking issue in linux on the desktop.

          • (Score: 0) by Anonymous Coward on Monday July 31 2017, @07:53PM

            by Anonymous Coward on Monday July 31 2017, @07:53PM (#547328)

            If I was in charge of linux (whatever that means) I would dump my spare resource into fixing open office

            If that means that you would make it 100.00 percent compatible with M$Orifice, it's important to note that M$Orifice isn't even compatible M$Orifice.
            If you aren't using THE SAME VERSION of M$'s stuff as the guy who created the document, there can be differences in rendering.

            Hell, if you connect a different printer to your box than that of the originator, there can be differences in rendering.

            ...and I still don't understand why people distribute documents to be *read* in an *editable* format.
            ...and a PROPRIETARY format at that.

            ...and, if you actually do need to -collaborate- on the -creation- of documents, the online things seem much more universal.

            -- OriginalOwner_ [soylentnews.org]

          • (Score: 0) by Anonymous Coward on Monday July 31 2017, @09:43PM

            by Anonymous Coward on Monday July 31 2017, @09:43PM (#547381)

            > For data processing and coding, CLI tools are correct.

            Not really. A proper language, even interpreted like python, that doesn't sacrifice half its syntax for the sake of command prompt convenience would always produce better, faster and more editable results. CLI tools are for administrative operations. Small mass renaming... Finding all the files with foobar in their content... Small one-off operations that server operators need to perform occasionally. The way those tools are used in installation scripts and the like is just wrong. Web-servers calling those tools is wrong. Data analysis using those tools is wrong.

            Shell scripts should glue and pipe. Not do complex logic and heuristics. Demanding those features from those tools has been the cause of some of the worst bugs and security issues for decades while adding nothing beyond what other scripting languages are already doing better.

      • (Score: 2) by chromas on Monday July 31 2017, @04:05PM (4 children)

        by chromas (34) Subscriber Badge on Monday July 31 2017, @04:05PM (#547210) Journal

        The problem is none of these have been replaced by systemd yet. vi and emacs are, of course, soon-to-be on their way out. With advanced tools like hostnamectl, localectl—all the "*ctl"s—why would you need a text editor?

        You guys really overblow the whole systemd is anti-Unix-way anyhow. Systemd has lots of single-purpose utilities. For instance, systemd-hostnamed does one thing and does it well. And it's an important job, too.

        • (Score: 3, Insightful) by tangomargarine on Monday July 31 2017, @04:31PM (3 children)

          by tangomargarine (667) on Monday July 31 2017, @04:31PM (#547232)

          You guys really overblow the whole systemd is anti-Unix-way anyhow. Systemd has lots of single-purpose utilities. For instance, systemd-hostnamed does one thing and does it well. And it's an important job, too.

          You're ignoring the part of the Unix philosophy where all those little tools are supposed to be easily individually replaceable. Systemd's various tools are all bolted together.

          Usually somebody in these conversations claims that "modular" means "well they compile to separate executables...so what if you can't swap out any of them?"

          --
          "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
          • (Score: 2) by chromas on Monday July 31 2017, @04:50PM (2 children)

            by chromas (34) Subscriber Badge on Monday July 31 2017, @04:50PM (#547241) Journal

            Oh, sorry, I was being sardonic, but not enough I guess :D

            I was hoping the "systemd-hostnamed" would give it away. It's a whole entire tool just for editing /etc/hostname. This is a thing that actually exists.

            • (Score: 2) by tangomargarine on Monday July 31 2017, @07:23PM

              by tangomargarine (667) on Monday July 31 2017, @07:23PM (#547312)

              Systemd in general is the incarnation of Poe's Law. Inverse Poe's Law? You think they must be joking then you find out no, they're actually serious.

              --
              "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
            • (Score: 0) by Anonymous Coward on Monday July 31 2017, @08:45PM

              by Anonymous Coward on Monday July 31 2017, @08:45PM (#547357)

              Sweet jesus! Yeah, can't have people knowing how to fix their own computers. Must insert some 3rd party software so you can intercept the commands before the user finds ou**destroys their own computer**.

      • (Score: 2) by tangomargarine on Monday July 31 2017, @04:26PM

        by tangomargarine (667) on Monday July 31 2017, @04:26PM (#547226)

        emacs

        If you're not constantly tinkering with emacs I think you're doing it wrong ;)

        --
        "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 2) by iWantToKeepAnon on Monday July 31 2017, @05:41PM

        by iWantToKeepAnon (686) on Monday July 31 2017, @05:41PM (#547266) Homepage Journal

        ... bash ...

        Ummm, shellshock anyone?

        --
        "Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
  • (Score: 1, Interesting) by Anonymous Coward on Monday July 31 2017, @06:38AM (13 children)

    by Anonymous Coward on Monday July 31 2017, @06:38AM (#547004)

    Well... he is rolling around in cash as the misery caused by his whims are felt by other folks and all he has to do ignore the deluge of internet name calling and labeling.

    If that was his purpose in life, making money, then I'd say he's pretty successful... so I wouldn't say he's a "dumbfuck" or a "moron". Of course everyone has different moral standards and goals in life.

    • (Score: 2) by kaszz on Monday July 31 2017, @06:50AM (11 children)

      by kaszz (4211) on Monday July 31 2017, @06:50AM (#547005) Journal

      Remedy: Make him suffer the consequences?

      End to externalization of costs. Nice banking account you got there..

      • (Score: 2, Insightful) by pvanhoof on Monday July 31 2017, @01:53PM (10 children)

        by pvanhoof (4638) on Monday July 31 2017, @01:53PM (#547141) Homepage

        Remedy: don't use his software. You are not required to do so. It's free and/or open source software. You can modify it yourself. You can replace it. You can create a replacement. What makes you believe you have to use it? Since you want to make the author of it suffer, I assume you are forced to use it? In which country is that? I never heard of a place that requires people, by law, or by force, to use systemd. Not even China as far as I know.

        • (Score: 3, Interesting) by kaszz on Monday July 31 2017, @02:48PM (8 children)

          by kaszz (4211) on Monday July 31 2017, @02:48PM (#547161) Journal

          The problem is his systemd is infesting more and more software and the cost/gain for establishing a feedback loop becomes more attractive with time.
          It's like saying if you don't like the water utility you are free to unsubscribe it. Works in theory..

          • (Score: 2) by pvanhoof on Monday July 31 2017, @03:06PM

            by pvanhoof (4638) on Monday July 31 2017, @03:06PM (#547174) Homepage

            Last time I checked there are entire distributions devoted to replacing systemd with something else. Hardly like the water utility. More like a brand of a car, or a often used component in many car brands. Or maybe, if you take it to the extreme, like a Diesel engine.

          • (Score: 2) by digitalaudiorock on Monday July 31 2017, @04:04PM (6 children)

            by digitalaudiorock (688) on Monday July 31 2017, @04:04PM (#547209) Journal

            It's like saying if you don't like the water utility you are free to unsubscribe it. Works in theory.

            As someone who uses Gentoo with no systemd it's definitely possible, but yea, it sucks having to hope that not too many important software projects drink the systemd kool aide. Things could start getting more and more difficult.

            By the way...not much sense in debating pvanhoof. There's one of him in every systemd discussion anywhere on the web. He goes on about how this is all just "systemd hate", passive aggressively pretending to the the "reasonable" one in the discussion, and proceeds to troll the thread no less that eight pro-systemd comments (and counting)...none of which have been modded up, and several which have been modded down.

            • (Score: 2) by kaszz on Monday July 31 2017, @04:29PM (4 children)

              by kaszz (4211) on Monday July 31 2017, @04:29PM (#547231) Journal

              Any notable compatibility trouble with free software going the systemd route?

              • (Score: 2) by digitalaudiorock on Monday July 31 2017, @05:30PM (3 children)

                by digitalaudiorock (688) on Monday July 31 2017, @05:30PM (#547257) Journal

                If you're asking if I've run into issues, not really, however I simply don't use anything, like Gnome for example, that requires it. So far nothing I really care about has become an issue. Hopefully most sane projects out there will continue to realize that making end user software dependent on a specific init system is basically turning into Windows ;)...which is pretty much what systemd is to anyone paying attention.

                What REALLY sucks if you ask me is that it will become impossible to find a good binary server distribution. CentOS 6 for example is simply rock solid. You couldn't pay me to use 7. That scene is just plain sad.

                • (Score: 2) by kaszz on Monday July 31 2017, @05:59PM (2 children)

                  by kaszz (4211) on Monday July 31 2017, @05:59PM (#547273) Journal

                  will continue to realize that making end user software dependent on a specific init system is basically turning into Windows ;)...which is pretty much what systemd is to anyone paying attention.

                  What is your train of thought on this?

                  • (Score: 2) by digitalaudiorock on Monday July 31 2017, @06:52PM (1 child)

                    by digitalaudiorock (688) on Monday July 31 2017, @06:52PM (#547294) Journal

                    I think there are some out there (notably Redhat) who would actually like Linux to effectively turn into Windows in that all end user software can always leverage the same interfaces exposed by one and only one monolithic init system that can be assumed to always be there. The over engineered way they approach everything even looks indistinguishable from he nightmarish way Windows does everything. That would be the end of Linux as far as I'm concerned...because it all flies in the face of everything that's make 'nix operating systems survive this long.

                    This would be a concern even if systemd wasn't actively trying to replace tried and true shit (DNS etc etc) that they have no clue about. That just makes it worse.

                    • (Score: 2) by kaszz on Monday July 31 2017, @07:00PM

                      by kaszz (4211) on Monday July 31 2017, @07:00PM (#547298) Journal

                      I think it's time for some anti-systemd software.

            • (Score: 2) by FakeBeldin on Monday July 31 2017, @08:08PM

              by FakeBeldin (3360) on Monday July 31 2017, @08:08PM (#547336) Journal

              By the way...not much sense in debating pvanhoof. There's one of him in every systemd discussion anywhere on the web. He goes on about how this is all just "systemd hate", passive aggressively pretending to the the "reasonable" one in the discussion, and proceeds to troll the thread no less that eight pro-systemd comments (and counting)...none of which have been modded up, and several which have been modded down.

              Thanks for the tip - there are indeed a lot of posts by pvanhoof further down that fit your description.

        • (Score: 2) by http on Tuesday August 01 2017, @10:58PM

          by http (1920) on Tuesday August 01 2017, @10:58PM (#547774)

          If you're not familiar with systemd, you are fuck off out of here as far as working in pretty much any org (picked at random) that uses Linux. The exceptions are... exceptions. Oh, and good luck being the new hire that tries to say, "we're switching everything to BSD because it's actually documented."

          I think you'll find the threat of homelessness and starvation fairly coercive.

          --
          I browse at -1 when I have mod points. It's unsettling.
    • (Score: 2) by pvanhoof on Monday July 31 2017, @01:51PM

      by pvanhoof (4638) on Monday July 31 2017, @01:51PM (#547138) Homepage

      Rolling around in cash ..

      The average salary at Red Hat for a Senior Software Developer is $96,984. That's not super much for software development in the US. I don't know about the details of Poettering's contract with Red Hat, of course.

      source [payscale.com]

  • (Score: 0) by Anonymous Coward on Monday July 31 2017, @04:23PM

    by Anonymous Coward on Monday July 31 2017, @04:23PM (#547224)

    In the end, it's Readhat pulling all the strings,

    There had better be a WriteHat method in that API too