Root Privileges Through Linux Kernel Bug 131
Lars T. writes "The H has a story about a Linux kernel bug that allows root level access. 'According to a report written by Rafal Wojtczuk (PDF), a conceptual problem in the memory management area of Linux allows local attackers to execute code at root level. The Linux issue is caused by potential overlaps between the memory areas of the stack and shared memory segments.' SUSE maintainer Andrea Arcangeli provided a fix for the problem in September 2004, but for unknown reasons this fix was not included in the Linux kernel. The bug is not related to the X Server bug found by Brad Spengler."
As the linked article notes: "SUSE itself has the fix and SUSE Linux Enterprise 9, 10 and 11 as well as openSUSE 11.1 through 11.3 do not exhibit this vulnerability."
Re:Linux! "It just works!" (Score:1, Interesting)
Indeed, 5 years old and no exploit. Patched several years ago by the distros. The question is why didn't it get back into the kernel tree.
Re: Ask the Kernel Overlords (Score:5, Interesting)
Why not ask the kernel developers? Nah, I'm not just joking, don't ask those nutjobs anything, they'll just freak out and start yelling at you.
I've seen many similar statements, so there may be some truth to this, but my experience is that they give you a short-as-possible only-most-relevant question such as "Can you bisect?" or reply like "Patch rejected: missing signoff". It appears their time is very valuable or they have to pay $5 pr. typed letter.
Re:Ummmmm, a local exploit. (Score:3, Interesting)
Re:Nothing to see here.... (Score:5, Interesting)
Re: Ask the Kernel Overlords (Score:4, Interesting)
Compare to Apple... (Score:3, Interesting)
Compare this to Apple, which still hasn't fixed my Darwin kernel ring 0 exploit, which I reported in June.
It's x86-only, so no, it can't be used for the second step of an iPhone jailbreak. =(
Re:Nothing to see here.... (Score:3, Interesting)
Re:you didn't do it right (Score:1, Interesting)
"...the correct procedure is to keep pestering the maintainer..." wow, THAT's a screwed up procedure. If I go through the effort of identifying a flaw and submitting a patch and the maintainer doesn't acknowledge my existence, the hell I'm going to keep pestering him...
I mean THAT's the reality of it, it isn't that the maintainer just misplaced the e-mail. E-mails from Linus don't get accidentally misplaced. So why should e-mails reporting and fixing vulns get misplaced? It's BS and it's a little elitist club, and that needs to be fixed, rather than the submitter needing to dedicate his/her life to getting listened to by the members of the elitist club.