Major Linux security hole found

Sukhdeep Singh · 14-02-2008, 07:33 AM

Quote:

Feb. 11, 2008

Security, the experts like to tell us, is a process, not a product.

With open source that can be a very good thing since when security problems are found they can be fixed quickly. That's the case over this last weekend, Feb. 9-10, when a security problem was found, and given a hot fix, in the 2.6.17 to the most recent production Linux kernel, 2.6.24.1.

The problem's exploit was first shown on the security site Milw0rm. The specific trouble is with the kernel system call sys_vmsplice.

This system call moves data from a user space memory address range via a pipe to another destination. Like its relations, splice, which reads and writes data to/from the buffer and tee, which is commonly used to display a program's output and sends it into a file, this is a data transfer system call. It is primarily used in virtual memory management. Thus, in and of itself, end-users will never directly encounter it.

However, thanks to the release of exploit code, a user with just a bit of knowledge on how to compile his or her own program in Linux will be able to exploit a server. The bug's effect is, in those versions of Linux using these kernels with this system call compiled in, to enable ordinary users with shell access to obtain root, superuser privileges. The security hole has been demonstrated in Debian, Fedora and Ubuntu.

Source : http://www.linux-watch.com/news/NS8844914464.html

mediator · 14-02-2008, 04:14 PM

LINUX HOLE PATCHED

Quote:

Not long after we reported that there was a major security hole in Linux, the Linux kernel developers came up with a permanent patch for the problem.

The security hole was with the relatively new Linux kernel system call sys_vmsplice. This system call moves data from a user space memory address range via a pipe to another destination. It's present in Linuxes using the Linux kernel from Version 2.6.17 to what had been the latest production Linux kernel, 2.6.24.1.

An exploit for this system call was revealed on the security exploit site Milw0rm on Feb. 9. This exploit showed that a user with local shell access and the exploit in hand could obtain root, master administration access to a Linux system.

A hot-fix was issued almost immediately. The permanent patch was delivered on the evening of Feb. 10. As Greg Kroah-Hartman, senior Linux developer employed by Novell, reported that night, "All currently active Linux kernel versions are now released with a fix for this problem. We have released them through our normal channels, with the needed information as to what the problem is, a pointer to the CVE number, and the patch itself."

There are two slightly different versions of the patch, depending on which Linux kernel you're running. But as master Linux developer Linus Torvalds wrote on the LKML (Linux Kernel Mailing List) concerning this, "In this particular case, maybe some [stable] person [a developer working on the stable, rather than experimental, versions of Linux] might have felt that they just didn't want to change semantics for the NULL pointer, or maybe they didn't even notice that what I committed to the development tree was slightly changed. It _really_ doesn't matter."

Updated versions of the kernel with the fix are now available for Debian, Ubuntu, openSUSE, Fedora, Red Hat and presumably all other mainstream Linuxes. Many of them, such as openSUSE, are automatically delivering the repaired Linux system.

â€”Steven J. Vaughan-Nichols

Do you have comments on this story?Talkback here
NOTE: Please post your comments regarding our articles using the above link. Be sure to use this article's title as the "Subject" in your posts. Before you create a new thread, please check to see if a discussion thread is already running on the article you plan to comment on. Thanks!