1 |
On Thursday 05 November 2009, Robert Bradbury wrote: |
2 |
> There was discussion on /. today about there being a potential bug |
3 |
> which allows users to obtain root privileges. Apparently its been |
4 |
> fixed in BSD but may still be a problem in RedHat distributions. It |
5 |
> is supposed to be fixed in the kernel but only as of 2.6.32. |
6 |
> |
7 |
> Is the fix being back-ported to 2.6.31 or should people plan/attempt |
8 |
> to run the kernel directly from kernel.org sources before they make |
9 |
> it into the Gentoo releases? |
10 |
|
11 |
I am not part of the kernel maintainers, but from what I see stabling a |
12 |
2.6.31 release usually means stabling the latest released patch. I |
13 |
assume Linux stable maintainers (upstream) will incorporate the NULL |
14 |
dereference patch into an upcoming release (2.6.31.6?). |
15 |
|
16 |
As far as exploitability is concerned, in default configurations of |
17 |
gentoo-, vanilla- and hardened-sources this bug cannot be exploited to |
18 |
escalate privileges beyond a kernel panic. |
19 |
|
20 |
The security team is tracking the vulnerability in this bug: |
21 |
https://bugs.gentoo.org/show_bug.cgi?id=291904 |
22 |
|
23 |
We have recently extended our team with Björn (asym) who will be working |
24 |
closer with our kernel maintainers and improve developer (and user!) |
25 |
tools to keep systems secure. But I won't spoil the fun of explaining |
26 |
that in detail and leave it to him. |
27 |
|
28 |
|
29 |
Robert |