On Fri, Feb 01, 2019 at 12:22:12PM -0500, Felix Miata wrote:
Is this theoretical, or real? IOW, is "poorly maintained" a label applied because of absence of "maintenance" that is a result absence of changes in a filesystem that was fully mature 20-30 years ago and thus needs no maintenance? Are the "security issues" known, or merely theoretical? If they are so little used, what real likelihood is there any attempt to use for an attack might manifest?
In last 1-2 years, I could see a pattern of growing number of networking bugs discovered using automated tools like syzkaller. Unproportionally high portion of these affect rarely used and mostly fogotten network protocols and drivers and quite a lot of them can be exploited either to crash a system or for privilege escalation. Of course, networking is a different subsystem but I have no reason to believe unmaintained and obsolete filesystems are in much better shape than unmaintained and obsolete networking protocols and drivers. And according to what I hear from colleagues working on filesystems, the situation is exactly the same. After all, IIRC the recent move to disable f2fs in openSUSE was a direct response to a series of security bugs in it. So, yes, the danger is very real and these drivers "fully mature since 20-30 years ago and thus needing no maintenance" are in fact buggy, full of security vulnerabilities and often written in a way which would today have no chance to pass through any sane and sober maintainer. Michal Kubecek -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org