Hi Demi Marie, Demi Marie Obenour wrote on Fri, Mar 25, 2022 at 12:13:59PM -0400:
> Linux’s netfront and blkfront drivers recently had a security > vulnerability (XSA-396) that allowed a malicious backend to potentially > compromise them. In follow-up audits, I found that OpenBSD’s xnf(4) > currently trusts the backend domain. I reported this privately to Theo > de Raadt, who indicated that OpenBSD does not consider this to be a > security concern. > > This is obviously a valid position for the OpenBSD project to take, but > it is surprising to some (such as myself) from the broader Xen > ecosystem. Standard practice in the Xen world is that bugs in frontends > that allow a malicious backend to cause mischief *are* considered > security bugs unless there is explicit documentation to the contrary. I do not have the slightest idea what you are talking about here, so i am not commenting on any of the above. > As such, I believe this deserves to be noted in xnf(4) and xbf(4)’s man > pages. I can't comment whether this needs mentioning in the manual either, but others will likely answer that question when you send a patch. > If the OpenBSD project agrees, I am willing to write a patch, > but I have no experience with mandoc You do not need experience with mandoc(1) to write a manual page patch. To get the formatting right, looking at the mdoc(7) manual page ought to be sufficient. But don't worry too much if you have no experience with mdoc(7). The main job of people submitting manual page patches is to get the content, wording, and placement of the text right. The formatting can easily be tweaked if needed. > so it might take a few tries. That's not a problem; the saying here goes "bad patches trigger good ones". Yours, Ingo
