Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Potential security leak in Linux kernel + fix

0 views
Skip to first unread message

Aragorn

unread,
Nov 10, 2009, 2:14:27 AM11/10/09
to
With thanks to Bit Twister, who brought this to our attention in
alt.os.linux.mandriva. Details in the article at the URL below.

http://www.itworld.com/security/83917/an-important-linux-fix

--
*Aragorn*
(registered GNU/Linux user #223157)

Grant

unread,
Nov 10, 2009, 6:06:32 AM11/10/09
to
On Tue, 10 Nov 2009 08:14:27 +0100, Aragorn <ara...@chatfactory.invalid> wrote:

>With thanks to Bit Twister, who brought this to our attention in
>alt.os.linux.mandriva. Details in the article at the URL below.
>
> http://www.itworld.com/security/83917/an-important-linux-fix

Was fixed long time ago, old news...

Grant.
--
http://bugsplatter.id.au

Aragorn

unread,
Nov 10, 2009, 1:47:44 PM11/10/09
to
On Tuesday 10 November 2009 12:06 in comp.os.linux.security, somebody
identifying as Grant wrote...

> On Tue, 10 Nov 2009 08:14:27 +0100, Aragorn
> <ara...@chatfactory.invalid> wrote:
>
>> With thanks to Bit Twister, who brought this to our attention in
>> alt.os.linux.mandriva. Details in the article at the URL below.
>>
>> http://www.itworld.com/security/83917/an-important-linux-fix
>
> Was fixed long time ago, old news...

Doesn't appear to have been fixed in my PCLinuxOS 2009.2 here, running a
2.6.26.8 kernel.

Grant

unread,
Nov 10, 2009, 2:18:14 PM11/10/09
to

The current -stable kernel is 2.6.27.39 (extended maintenance
version), or 2.6.31.6. Up to you to keep the kernel current.

I run 2.6.27.latest on slackware-11, and 2.6.latest-stable
on slackware-13.

See:

http://www.kernel.org/pub/linux/kernel/v2.6/?C=M&O=D

for latest source. Patching and compiling a new kernel is not
rocket science, though it helps if you script the boring bits ;)

Grant.
--
http://bugsplatter.id.au

David W. Hodgins

unread,
Nov 10, 2009, 2:46:30 PM11/10/09
to
On Tue, 10 Nov 2009 06:06:32 -0500, Grant <g_r_a...@bugsplatter.id.au> wrote:

> On Tue, 10 Nov 2009 08:14:27 +0100, Aragorn <ara...@chatfactory.invalid> wrote:
>
>> With thanks to Bit Twister, who brought this to our attention in
>> alt.os.linux.mandriva. Details in the article at the URL below.
>>
>> http://www.itworld.com/security/83917/an-important-linux-fix
>
> Was fixed long time ago, old news...

You're thinking of another bug, as I was, when I first read this.
See http://www.us-cert.gov/cas/bulletins/SB09-313.html
released 2009-11-04, it affects all kernels prior to 2.6.32-rc6.

Most distributions are not affected, as they set
/proc/sys/vm/mmap_min_addr to a value other then zero, but
currently up-to-date redhat and suse systems are affected.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Aragorn

unread,
Nov 10, 2009, 3:26:23 PM11/10/09
to
On Tuesday 10 November 2009 20:18 in comp.os.linux.security, somebody
identifying as Grant wrote...

> On Tue, 10 Nov 2009 19:47:44 +0100, Aragorn
> <ara...@chatfactory.invalid> wrote:
>
>> On Tuesday 10 November 2009 12:06 in comp.os.linux.security, somebody
>> identifying as Grant wrote...
>>
>>> On Tue, 10 Nov 2009 08:14:27 +0100, Aragorn
>>> <ara...@chatfactory.invalid> wrote:
>>>
>>>> With thanks to Bit Twister, who brought this to our attention in
>>>> alt.os.linux.mandriva. Details in the article at the URL below.
>>>>
>>>> http://www.itworld.com/security/83917/an-important-linux-fix
>>>
>>> Was fixed long time ago, old news...
>>
>> Doesn't appear to have been fixed in my PCLinuxOS 2009.2 here,
>> running a 2.6.26.8 kernel.
>
> The current -stable kernel is 2.6.27.39 (extended maintenance
> version), or 2.6.31.6. Up to you to keep the kernel current.
>
> I run 2.6.27.latest on slackware-11, and 2.6.latest-stable
> on slackware-13.
>
> See:
>
> http://www.kernel.org/pub/linux/kernel/v2.6/?C=M&O=D
>
> for latest source. Patching and compiling a new kernel is not
> rocket science, though it helps if you script the boring bits ;)

I did not post the original article because I am worried but because
someone was kind enough to post this to alt.os.linux.mandriva, and
apparently - apart from the still very fresh Mandriva 2010 distribution
that's only been out for a week or so - all recent Mandriva versions
had this flaw, and so chances are that most other distributions have it
as well - I know that SuSE doesn't, but that's about the only one.
That's why I posted it, i.e. so as to inform those concerned enough.

One of the reason why I'm not concerned is that this here is a temporary
machine. It's got hardware flaws and it regularly crashes, but I'll
have another box to replace it in just a few weeks. At this stage,
this machine is sitting on a residential internet connection with no
services running on it other than sshd - which is only reachable to
customers of my own ISP - and all direct root logins have been
disabled.

As for patching kernels, I don't like that, eventhough it is indeed not
rocket science. I do however roll my own kernels for important
machines, so it's not like I'm afraid to get my hands dirty. I've
never even built a kernel that wouldn't boot, not even at my first
attempt. As this machine here is not important, I don't see why I
should bother installing another kernel, whether binary or from
sources.

Allen Kistler

unread,
Nov 10, 2009, 7:40:12 PM11/10/09
to
David W. Hodgins wrote:
> On Tue, 10 Nov 2009 06:06:32 -0500, Grant <g_r_a...@bugsplatter.id.au>
> wrote:
>
>> On Tue, 10 Nov 2009 08:14:27 +0100, Aragorn
>> <ara...@chatfactory.invalid> wrote:
>>
>>> With thanks to Bit Twister, who brought this to our attention in
>>> alt.os.linux.mandriva. Details in the article at the URL below.
>>>
>>> http://www.itworld.com/security/83917/an-important-linux-fix
>>
>> Was fixed long time ago, old news...
>
> You're thinking of another bug, as I was, when I first read this.
> See http://www.us-cert.gov/cas/bulletins/SB09-313.html
> released 2009-11-04, it affects all kernels prior to 2.6.32-rc6.
>
> Most distributions are not affected, as they set
> /proc/sys/vm/mmap_min_addr to a value other then zero, but
> currently up-to-date redhat and suse systems are affected.

My currently up-to-date Red Hat system has ...

$ cat /proc/sys/vm/mmap_min_addr
4096

... so, not vulnerable, no tweaking required on my part.

Grant

unread,
Nov 10, 2009, 8:18:42 PM11/10/09
to

Sure, I read the referenced article, did the cat /proc/... test
with a 4096 result -- so the Internet facing machine I care about
here doesn't have the issue.


>
>One of the reason why I'm not concerned is that this here is a temporary
>machine. It's got hardware flaws and it regularly crashes, but I'll
>have another box to replace it in just a few weeks. At this stage,
>this machine is sitting on a residential internet connection with no
>services running on it other than sshd - which is only reachable to
>customers of my own ISP - and all direct root logins have been
>disabled.

Well yes, common sense says we don't allow logins from public 'net
unless really necessary.

>
>As for patching kernels, I don't like that, eventhough it is indeed not
>rocket science. I do however roll my own kernels for important
>machines, so it's not like I'm afraid to get my hands dirty. I've
>never even built a kernel that wouldn't boot, not even at my first
>attempt. As this machine here is not important, I don't see why I
>should bother installing another kernel, whether binary or from
>sources.

Well I can remember reinstalling linux to recover from a bad new
custom kernel a dozen years ago :) I occasionally get boot
failures from over-optimistic custom kernels opn new installs --
key is to not break the distro kernel so one may reboot and recover.


Patching a kernel to latest version lightens the load on the
kernel.org source servers -- rather than download complete new
kernel source, one simply reverses the most-recent-1 patch and
applies the most-recent patch, compile, fixup bootloader and
reboot.

Much better than unpacking a new source, transfer .config and
so on.

Plus downloading only, for example, 132kB patch instead of 59MB
tarball for 2.6.31.6.

Grant.
--
http://bugsplatter.id.au

Grant

unread,
Nov 10, 2009, 8:22:33 PM11/10/09
to
On Tue, 10 Nov 2009 14:46:30 -0500, "David W. Hodgins" <dwho...@nomail.afraid.org> wrote:

>On Tue, 10 Nov 2009 06:06:32 -0500, Grant <g_r_a...@bugsplatter.id.au> wrote:
>
>> On Tue, 10 Nov 2009 08:14:27 +0100, Aragorn <ara...@chatfactory.invalid> wrote:
>>
>>> With thanks to Bit Twister, who brought this to our attention in
>>> alt.os.linux.mandriva. Details in the article at the URL below.
>>>
>>> http://www.itworld.com/security/83917/an-important-linux-fix
>>
>> Was fixed long time ago, old news...
>
>You're thinking of another bug, as I was, when I first read this.
>See http://www.us-cert.gov/cas/bulletins/SB09-313.html
>released 2009-11-04, it affects all kernels prior to 2.6.32-rc6.

Maybe so, skimming thru several hundred lkml posts/day (usually
only viewing subject line) means I only have the vaguest idea of
what's going on in there ;)

I do update to -stable version as they come out.


>
>Most distributions are not affected, as they set
>/proc/sys/vm/mmap_min_addr to a value other then zero, but
>currently up-to-date redhat and suse systems are affected.

Well, my old slackware-11 is not affected.

Grant.
--
http://bugsplatter.id.au

David W. Hodgins

unread,
Nov 11, 2009, 4:49:05 AM11/11/09
to
On Tue, 10 Nov 2009 19:40:12 -0500, Allen Kistler <acki...@oohay.moc> wrote:

> My currently up-to-date Red Hat system has ...
> $ cat /proc/sys/vm/mmap_min_addr
> 4096
> ... so, not vulnerable, no tweaking required on my part.

My apologies. Instead of posting that up-to-date Redhat and Suse
systems were vulnerable, I should have posted that, the article
stated that Redhat and Suse systems were vulnerable.

I think my point still stands that this is a relatively new bug,
that has only been publicized in the last week or so, not an old
bug that was fixed a long time ago.

Nico Kadel-Garcia

unread,
Nov 11, 2009, 7:59:30 AM11/11/09
to
On Nov 11, 4:49 am, "David W. Hodgins" <dwhodg...@nomail.afraid.org>
wrote:

> On Tue, 10 Nov 2009 19:40:12 -0500, Allen Kistler <ackist...@oohay.moc> wrote:
> > My currently up-to-date Red Hat system has ...
> > $ cat /proc/sys/vm/mmap_min_addr
> > 4096
> > ... so, not vulnerable, no tweaking required on my part.
>
> My apologies.  Instead of posting that up-to-date Redhat and Suse
> systems were vulnerable, I should have posted that, the article
> stated that Redhat and Suse systems were vulnerable.
>
> I think my point still stands that this is a relatively new bug,
> that has only been publicized in the last week or so, not an old
> bug that was fixed a long time ago.
>
> Regards, Dave Hodgins

Fortunately, RedHat and SuSE are very good about porting such patches
to their existing kernels very quickly. That saves me a lot of work
maintaining kernels manually, which I lack time to do, especially on
older systems where updating the kernel too far would break a *lot*.

Unruh

unread,
Nov 11, 2009, 1:40:24 PM11/11/09
to
"David W. Hodgins" <dwho...@nomail.afraid.org> writes:

>On Tue, 10 Nov 2009 06:06:32 -0500, Grant <g_r_a...@bugsplatter.id.au> wrote:

>> On Tue, 10 Nov 2009 08:14:27 +0100, Aragorn <ara...@chatfactory.invalid> wrote:
>>
>>> With thanks to Bit Twister, who brought this to our attention in
>>> alt.os.linux.mandriva. Details in the article at the URL below.
>>>
>>> http://www.itworld.com/security/83917/an-important-linux-fix
>>
>> Was fixed long time ago, old news...

>You're thinking of another bug, as I was, when I first read this.
>See http://www.us-cert.gov/cas/bulletins/SB09-313.html
>released 2009-11-04, it affects all kernels prior to 2.6.32-rc6.

>Most distributions are not affected, as they set
>/proc/sys/vm/mmap_min_addr to a value other then zero, but
>currently up-to-date redhat and suse systems are affected.

So are mandriva systems.

0 new messages