FS#15935 - [kernel26] security vulnerability (NULL pointer dereference).
Attached to Project:
Arch Linux
Opened by Leo Bärring (tlvb) - Friday, 14 August 2009, 15:59 GMT
Last edited by Roman Kyrylych (Romashka) - Monday, 17 August 2009, 14:47 GMT
Opened by Leo Bärring (tlvb) - Friday, 14 August 2009, 15:59 GMT
Last edited by Roman Kyrylych (Romashka) - Monday, 17 August 2009, 14:47 GMT
|
Details
Description:
A new kernel security vulnerability has ben discovered. Linux NULL pointer dereference due to incorrect proto_ops initializations Details: http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html Patch with a fix(?): http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98 All Linux 2.4/2.6 versions since May 2001 are believed to be affected: - Linux 2.4, from 2.4.4 up to and including 2.4.37.4 - Linux 2.6, from 2.6.0 up to and including 2.6.30.4 |
This task depends upon
Comment by
Gerardo Exequiel Pozzi (djgera) -
Friday, 14 August 2009, 16:38 GMT
- Field changed: Summary (Kernel security vulnerability (NULL pointer dereference). → [kernel26] security vulnerability (NULL pointer dereference). )
- Field changed: Status (Unconfirmed → Assigned)
- Field changed: Severity (Critical → High)
- Task assigned to Tobias Powalowski (tpowa)
Reducing severity since vm.mmap_min_addr is set to 4096 in current
kernels.
Comment by Dan McGee (toofishes) -
Friday, 14 August 2009, 21:14 GMT
This should be unexploitable in our current kernel.
Comment by
Roman Kyrylych (Romashka) - Monday,
17 August 2009, 14:47 GMT
Even though it's not a problem with our default kernel, a new
package kernel26-2.6.30.5-1 was released (upstream update) which
fixes the issue even if the default mmap_min_addr was overridden.