Forgot your password?
typodupeerror
Security Linux

Hole In Linux Kernel Provides Root Rights 274

Posted by Soulskill
from the everything-old-is-new-again dept.
oztiks writes with this excerpt from The H: "A vulnerability in the 32-bit compatibility mode of the current Linux kernel (and previous versions) for 64-bit systems can be exploited to escalate privileges. For instance, attackers can break into a system and exploit a hole in the web server to get complete root (also known as superuser) rights or permissions for a victim's system. According to a report, the problem occurs because the 32-bit call emulation layer does not check whether the call is truly in the Syscall table. Ben Hawkes, who discovered the problem, says the vulnerability can be exploited to execute arbitrary code with kernel rights. ... Hawkes says the vulnerability was discovered and remedied back in 2007, but at some point in 2008 kernel developers apparently removed the patch, reintroducing the vulnerability. The older exploit apparently only needed slight modifications to work with the new hole."
This discussion has been archived. No new comments can be posted.

Hole In Linux Kernel Provides Root Rights

Comments Filter:
  • by Anonymous Coward on Saturday September 18, 2010 @08:23PM (#33623272)

    I mean this is what, the third 'reverted' security patch we've heard about in the recent past that needed replacement?

    Maybe it's time to seperate out core kernel code and the arch specific stuff into seperate modules with seperate administration. Git would make this easy, so why aren't we seeing it done?

  • Re:Serve them right (Score:3, Interesting)

    by iGaucho (1904126) on Saturday September 18, 2010 @08:41PM (#33623362)
    And that's why I use OpenBSD :)
  • Re:Patch (Score:2, Interesting)

    by larry bagina (561269) on Saturday September 18, 2010 @10:26PM (#33623818) Journal

    The C standard doesn't specify sizes but requires that

    sizeof(long) >= sizeof(int) >= sizeof(short) >= sizeof(char)

    so if a char is 32-bit, a short must be 32-bit (or more) as well. C-99's <stdint.h>, requires typedefs (eg, uint8_t, int8_t) for 8, 16, and 32-bit signed and unsigned integers.

  • by mr_mischief (456295) on Sunday September 19, 2010 @04:48AM (#33625722) Journal

    Around 15% to 25% of revenues going to customer acquisition and retention (marketing, sales calls, rebates, incentives, whatever) is a pretty common budgetary decision in US businesses. So yeah, after payroll, facilities, and other operating costs marketing and sales are a major expense. The most common advice I get as a small-business owner both online and in person from other business owners is 20%.

    I've heard as low as 10%, but that's still a big chunk of the budget. I've also heard of people spending as high as 40% of revenues for a short period when entering a new market segment.

    It's informative to stick "how much to spend on marketing" into a search engine and see what the different magazines, forums, and blogs say. Different industries of course have slightly different needs, but at least 10% and not more than 30% under normal circumstances should be a decent starting place for considering what to spend.

  • Re:Serve them right (Score:4, Interesting)

    by Gordonjcp (186804) on Sunday September 19, 2010 @06:00AM (#33625976) Homepage

    While OpenBSD doesn't have a perfect record for security

    OpenBSD has got a *terrible* record for security. The illusion of security is only maintained because every time someone discovers a gaping exploit in OpenBSD, Theo moves the goalposts on what he considers a security hole. Just look at all the descriptions of "errata" for OpenBSD - bugfixes for security holes!

    Theo is like that kid who, no matter what game you were playing, would always start making up bullshit rules whenever he started losing. Like, "Tag! You're it!" "No I'm not it, that tag didn't count because I'm uh... I'm near this rock".
    Don't be that kid. That kid is a dick.

  • Re:In Soviet Russia! (Score:2, Interesting)

    by BrokenHalo (565198) on Sunday September 19, 2010 @01:52PM (#33628666)
    I'm sorry, but as a Burroughs B3700 guy, it's really hard to watch a VMS guy get a chuckle at somebody else given their chosen OS's inferiority and not have a chuckle about it myself.

    And yes, I actually was a B3700 guy. Now get off my lawn. ;-)

Thus spake the master programmer: "After three days without programming, life becomes meaningless." -- Geoffrey James, "The Tao of Programming"

Working...