Mailinglist Archive: opensuse-factory (602 mails)

< Previous Next >
Re: [opensuse-factory][PLEASE SPEAK UP] Disabling legacy file systems by default?
On Fri, Feb 01, 2019 at 12:22:12PM -0500, Felix Miata wrote:

Is this theoretical, or real? IOW, is "poorly maintained" a label
applied because of absence of "maintenance" that is a result absence
of changes in a filesystem that was fully mature 20-30 years ago and
thus needs no maintenance? Are the "security issues" known, or merely
theoretical? If they are so little used, what real likelihood is there
any attempt to use for an attack might manifest?

In last 1-2 years, I could see a pattern of growing number of networking
bugs discovered using automated tools like syzkaller. Unproportionally
high portion of these affect rarely used and mostly fogotten network
protocols and drivers and quite a lot of them can be exploited either to
crash a system or for privilege escalation.

Of course, networking is a different subsystem but I have no reason to
believe unmaintained and obsolete filesystems are in much better shape
than unmaintained and obsolete networking protocols and drivers. And
according to what I hear from colleagues working on filesystems, the
situation is exactly the same. After all, IIRC the recent move to
disable f2fs in openSUSE was a direct response to a series of security
bugs in it.

So, yes, the danger is very real and these drivers "fully mature since
20-30 years ago and thus needing no maintenance" are in fact buggy,
full of security vulnerabilities and often written in a way which would
today have no chance to pass through any sane and sober maintainer.

Michal Kubecek
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References