As luck would have it, I have found a serious issue in a core component of the Hurd. It is a denial of service, which can then be turned into privilege escalation.
I have developed an exploit. Here is it in action: sergey@sergey-hurd-box:~/hax$ id uid=1000(sergey) gid=1000(sergey) groups=1000(sergey),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),103(netdev) sergey@sergey-hurd-box:~/hax$ ./hax Got root auth port :) root@sergey-hurd-box:~/hax# id uid=0(root) gid=0(root) groups=0(root) root@sergey-hurd-box:~/hax# (To be clear, I'm not the first person to realize that, let's say, _this way of doing things_ could be exploited. I just stumbled on a piece of code, realized that it uses a problematic pattern, thought of possible ramifications, and developed the specific exploit.) As far as I can see from Git history, this vulnerability has been present in the code base for more than 20 years. Is such a vulnerability already known (and am I just late to the party)? If it's not known, how do I responsibly disclose this, so that nobody's system gets hacked? I guess I could send the vulnerability description and the exploit source code in a private e-mail; is there perhaps a dedicated GNU e-mail address for this purpose? How do we ensure that a future commit fixing the vulnerability doesn't immediately disclose what it was? Or, should I just dump the whole thing out in the open on this mailing list? Should we get a CVE ID assigned? Should we notify Debian? Sergey P. S. On a personal note, it has been *very* exciting to find the issue and develop a successful exploit! But now I'm a bit lost as to what to do next. And sorry for throwing more stuff at you. This can certainly wait for a few more days if it hasn't been discovered for 20 years.
