New Linux Kernel Vulnerability 486
Stop Or I'll Noop writes "Paul Starzetz writes, "A critical security vulnerability has been found in the Linux kernel memory management code inside the mremap(2) system call due to missing function return
value check. This bug is completely unrelated to the mremap bug disclosed on 05-01-2003 except concerning the same internal kernel function code." Full scoop here."
Update: 03/07 20:53 GMT by T : This vulnerability (and fixes) were mentioned briefly in an update to this earlier posting.
Not a new vulnerability (Score:5, Informative)
Re:Which kernels are effected (Score:4, Informative)
Re:Damn (all your base are belong to us) (Score:5, Informative)
Not a big deal really (Score:5, Informative)
Only version: 2.2 up to and including 2.2.25, 2.4 up to to and including 2.4.24, 2.6 up to to and including 2.6.2
-jmoen-
From the link... (Score:3, Informative)
Local, not remote.
In general: If an attacker has local access or can gain the equivelent by using a remote access tool, a local exploit can be a problem.
So, personally I'm not too worried though others with different types of users or configurations might have a high level of concern.
Old news (Score:5, Informative)
known since 18. feb. 2004 (Score:5, Informative)
isec just waited some weeks until they released the exploit...
Comment removed (Score:5, Informative)
Re:Here we go again (Score:5, Informative)
Do I laugh or do I cry? ...
Laugh, I would say. While both laughing and crying are versatile enough to be used regardless of whether it is a time of great happiness or great sadness, laughing is definitely more "out there".
just when I had finished compiling 2.4.25 on my systems..
Anyone who "just finished compiling" the latest release of their favorite kernel tree is all set (assuming the installed it), since this "new kernel vulnerability" is only new in the /. sense. I would think that people who are super-concerned about such things would recognize that in reading the bulletin.
Did I read the security bullentin correctly
No, you did not. :-( When it said...
2.2 up to and including 2.2.25, 2.4 up to to and including 2.4.24, 2.6 up to to and including 2.6.2
...you mistook the 2.2 for a 2.4 and thought that it effected your 2.4.25 kernel.
This is medium old news. (Score:5, Informative)
You just thought it was the third because you already heard about two, and forgot that sometimes things take a week or so to make it to
if you patched two weeks ago, you can ignore this (Score:3, Informative)
Thank $DEITY I don't need to patch/reboot again. I was starting to get a bit annoyed at having to patch the kernel twice in two months. Scheduling reboots of machines in use by many people is no fun.
Patched in 2.6.3 apparently (Score:5, Informative)
[+] kernel 2.6.3 vulnerable: NO exploitable NO
There's also a patch to mremap listed in the 2.6.3 ChangeLog. So I don't know how "new" this bug is.
Re:Many eyes, but wide open or tight shut ? (Score:5, Informative)
Re:"Windows users: want Security, install linux"?? (Score:4, Informative)
In Linux, peer review found it, fixed it and made the information available, so you know that you have an exploit.
Linux seems much more Mainstream to me. Until people write perfect, bug free, secure software, give me a system that at least I can keep up to date and have a chance to protect myself.
Re:Many eyes, but wide open or tight shut ? (Score:5, Informative)
My thinking is that Linux on the desktop is going to need a contingency plan for a widespread vulerability, similar to what Microsoft does with Automatic Updates.
I'm guessing you don't use Linux then. All major distros release such updates very quickly, and RedHat at least had a desktop icon that alerted users if updates were available. The kernel will get patched if it needs to, but it's up to the distro vendors to include something "idiot proof" to yell if the system needs an update.
Re:More critical vulnerability in FreeBSD (Score:3, Informative)
Re:Many eyes, but wide open or tight shut ? (Score:2, Informative)
this vulnerability announcement is a month old (Score:5, Informative)
http://www.slackware.com/changelog/stable.php?c
"
Wed Feb 18 03:44:42 PST 2004
patches/kernels/: Recompiled to fix another bounds-checking error in
the kernel mremap() code. (this is not the same issue that was fixed
on Jan 6) This bug could be used by a local attacker to gain root
privileges. Sites should upgrade to a new kernel. After installing
the new kernel, be sure to run 'lilo'.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN
Thanks to Paul Starzetz for finding and researching this issue.
(* Security fix *)
"
2.4.25 and 2.6.3 are NOT affected by this hole, and there is a patch for 2.4.24 which you can make yourself by diffing a vanilla 2.4.24 kernel with slackware 9.1's 2.4.24 kernel source package.
CmdrTaco, before you post another "announcement" like this, do your homework. last thing we need is more security disinformation surrounding linux.
Re:Many eyes, but wide open or tight shut ? (Score:5, Informative)
I actually read the bug report then, and I read it now, and when I got down to the bug explanation (with the lines of X's representing memory) I realized it was the exact same one I had seen before!
Re:Many eyes, but wide open or tight shut ? (Score:2, Informative)
Re:Which kernels are effected (Score:1, Informative)
Re:Which kernels are effected (Score:4, Informative)
- ide-scsi is deprecated for CD burners
- USB now relies on hotplug/libusb/whatnot
Jesus man, why don't you read the fucking 2.6 migration FAQ before posting bollocks?
which are vulnerable (Score:5, Informative)
Here's the immediately pertinent part:
Proper exploitation of this vulnerability leads to local privilege escalation giving an attacker full super-user privileges. The vulnerability may also lead to a denial-of-service attack on the available system memory.
Tested and known to be vulnerable kernel versions are all
So it looks like we've all got to update to the latest of respective trees. I guess the days of running a kernel for months on end are pretty much over.
Re:2.6.3? (Score:1, Informative)
Slashdot: when news breaks, you get the pieces.
Re:Many eyes, but wide open or tight shut ? (Score:3, Informative)
On Debian/Red Hat with APT:
apt-get update && apt-get dist-upgrade
On Red Hat with up2date:
up2date -u
On Mandrake:
urpmi.update && urpmi --auto-select
And so on.. Now obviously these could be imrpoved (i.e. mail the admin if it fails), but auto-updating is a lot easier under Linux.
Comment removed (Score:3, Informative)
Re:Story is a troll!!!!! (Score:2, Informative)
Re:if you patched two weeks ago, you can ignore th (Score:3, Informative)
Oh yes i know how to use /usr/bin/patch . But where is the patch itself? like linux-2.4.24-mremap.patch ? for instance
cat linux-2.4.24-mremap.patch | patch -p0
would do the job. However _where_ is the linux-2.4.24-mremap.patch to be found?
Robert
Re:Many eyes, but wide open or tight shut ? (Score:2, Informative)
SuSE has a similar thing. Dunno about other distros.
There are a couple of problem here though:
There are a number of steps that need to be taken before a patch is installed, and each of them may take quite a bit of time: computer needs to check for patches, mirror server (if any) needs to have patches from main patch server (in my case this is sometimes an issue, but I could go directly to ftp.suse.com, if it's not completely bogged down already), user needs to be alerted, user needs to choose to patch. All this could be done in an automated way, but it would still take some time, during which the machine would be vulnerable.
And then, after patching, programs or the whole machine may need to be restarted. This can't very well be automated, at least not by default.
I'm semi-admining a SuSE 8.2 box where the automatic update script emailed me every day with a list of already-installed patches. Stupid. :-P So I got it to not email me. So now I have no clue when I need to reboot, and the machine is probably open to several known vulnerabilities right now.
I'd say that single(ish)-user machines really need to be properly firewalled, but unfortunately there's no such thing as a satisfactory default policy. (Outgoing IRC traffic, for instance, should be open for IRCers but not for anyone else.) On multi-user machines there's no substitute for vigilant admins.
Re:This is medium old news. (Score:2, Informative)
Everybody considering this bug "news" should check his way to track security announcements!
Re:Story is a troll!!!!! (Score:3, Informative)
But, what he's saying is, it's NOT still there. It's been fixed already.
Re:Proof-of-Concept Code (Score:2, Informative)
Error: unbalanced parenthesis in operand 1.
The solution (for me) was to compile it with GCC 3.3.2.
The output on my system (unfortunately for me) is:
New exploit for an already fixed issue. (Score:1, Informative)