| 1 |
On Thursday 05 November 2009, Robert Bradbury wrote: |
| 2 |
> There was discussion on /. today about there being a potential bug |
| 3 |
> which allows users to obtain root privileges. Apparently its been |
| 4 |
> fixed in BSD but may still be a problem in RedHat distributions. It |
| 5 |
> is supposed to be fixed in the kernel but only as of 2.6.32. |
| 6 |
> |
| 7 |
> Is the fix being back-ported to 2.6.31 or should people plan/attempt |
| 8 |
> to run the kernel directly from kernel.org sources before they make |
| 9 |
> it into the Gentoo releases? |
| 10 |
|
| 11 |
I am not part of the kernel maintainers, but from what I see stabling a |
| 12 |
2.6.31 release usually means stabling the latest released patch. I |
| 13 |
assume Linux stable maintainers (upstream) will incorporate the NULL |
| 14 |
dereference patch into an upcoming release (2.6.31.6?). |
| 15 |
|
| 16 |
As far as exploitability is concerned, in default configurations of |
| 17 |
gentoo-, vanilla- and hardened-sources this bug cannot be exploited to |
| 18 |
escalate privileges beyond a kernel panic. |
| 19 |
|
| 20 |
The security team is tracking the vulnerability in this bug: |
| 21 |
https://bugs.gentoo.org/show_bug.cgi?id=291904 |
| 22 |
|
| 23 |
We have recently extended our team with Björn (asym) who will be working |
| 24 |
closer with our kernel maintainers and improve developer (and user!) |
| 25 |
tools to keep systems secure. But I won't spoil the fun of explaining |
| 26 |
that in detail and leave it to him. |
| 27 |
|
| 28 |
|
| 29 |
Robert |
Archives