[LEDE-DEV] Stability & release plans -- CVE-2016-5195

[yanosz]

Hello,

Am 10/29/2016 um 03:18 AM schrieb J Mo:
> 
> On 10/28/2016 11:39 AM, yanosz wrote:
>> 1. I'm unhappy with the state of OpenWRT at the moment. I see some
>> trouble in building and releasing. The current code base has some bugs.
>> I'ven't seen a fix for "mad cow" yet. For me it is hard to estimate
>> whether OpenWRT is able to include, build and release critical patches
>> over the next months in a timely fashion.
> 
> My impression is that CVE-2016-5195 (also known by it's marketing name
> for low-intellect individuals as "dirty COW") is mostly a non-issue on
> OpenWRT/LEDE. This is why you have not heard much about a response for it.
> 
> The exploit is a privilege escalation. However, almost everything on a
> standard LEDE/OpenWRT system already runs as root anyway, since these
> kinds of systems are not designed for multi-user scenarios.

Depends :-).
OpenWRT has a big package repository, offering dozens applications. I
guess, that you're right for about > 80% of all OpenWRT users, but there
are others. As far as I'm aware of, discussions on CVE-2016-5195 are
taking place  https://forum.openwrt.org/viewtopic.php?id=68181 so some
people do care - some discussions are happening on openwrt-dev, too.

However, I'm neither interested in discussing the impact of a local root
exploit, nor the urgency for this kind of fix.

I'm trying to estimate the liveliness and its future impact for OpenWRT.
Take
https://lists.openwrt.org/pipermail/openwrt-devel/2016-July/041987.html
for instance.
Please don't get me wrong: I'm not saying that OpenWRT is unable to do
releases, but "KanjiMonster" statements, make me worry about the shape
of OpenWRT-Setup when something bigger happens.

Greetz, yanosz

-- 
For those of you without hope, we have rooms with color TV,
cable and air conditioning