Critical Linux kernel bugs discovered

[Tarun]

Security researchers have uncovered "critical" security flaws in a version of the Linux kernel used by a large number of popular distributions. The three bugs, which allow unauthorized access to kernel memory, exist in all versions of the Linux kernel up to 2.6.24.1, including Ubuntu, Red Hat, and others.

The three bugs allow unauthorized users to read or write to kernel memory locations or to access certain resources in certain servers, according to a SecurityFocus advisory.

They could be exploited by malicious, local users to cause denial of service attacks, disclose potentially sensitive information, or gain "root" privileges, according to security experts.

The bug affects all versions of the Linux kernel up to version 2.6.24.1, which contains a patch. Distributions such as Ubuntu, Turbolinux, SuSE, Red Hat, Mandriva, Debian and others are affected.

The problems are within three functions in the system call fs/splice.c, according to an advisory from Secunia.

"In the 2.6.23 kernel, the system call functionality has been further extended resulting in ... critical vulnerabilities," said iSEC Security Research in an advisory.

Secunia disagreed about the bugs' seriousness, giving them a less critical ranking.

Exploit code for the vulnerabilities has been released publicly on the hacker site milw0rm.com, and Core Security Technologies has also developed a commercial exploit for the bugs, researchers said.

Researchers advised system administrators to update their kernels immediately.

Last month, a U.S. Department of Homeland Security bug-fixing scheme uncovered an average of one security glitch per 1,000 lines of code in 180 widely used open-source software projects.

Secunia also previously discovered that the number of security bugs in open-source Red Hat Linux operating system and Firefox browsers, far outstripped comparable products from Microsoft last year.

Source: InfoWorld

Link: Lunarsoft Frontpage

[Eldmannen]

Luckily you don't have to wait until next patch Tuesday, you can get the patch right now.

[DjLizard]

Luckily you don't have to wait until next patch Tuesday, you can get the patch right now.

People who use canned distributions (Debian/Ubuntu, RedHat/Fedora, and so on) are left until a lot longer than patch Tuesday as it takes quite a while between distro releases, and that's just in reference to everyday packages. This is the kernel, which isn't a lot of fun to work with as an end-user, especially if you had to go through the trouble of recompiling a canned distro's kernel to get something working. Now you have to start over and/or wait until your canned distro comes out with a new release or easy-to-implement patch. Remember, it's not just nerds using Linux... everyday people are more and more starting to use it because of the accessibility of canned distros.

(Don't worry about citing me examples of canned distros that have already upgraded or whatever, I was just speaking in general.)

[Eldmannen]

Luckily you don't have to wait until next patch Tuesday, you can get the patch right now.

People who use canned distributions (Debian/Ubuntu, RedHat/Fedora, and so on) are left until a lot longer than patch Tuesday as it takes quite a while between distro releases, and that's just in reference to everyday packages. This is the kernel, which isn't a lot of fun to work with as an end-user, especially if you had to go through the trouble of recompiling a canned distro's kernel to get something working. Now you have to start over and/or wait until your canned distro comes out with a new release or easy-to-implement patch. Remember, it's not just nerds using Linux... everyday people are more and more starting to use it because of the accessibility of canned distros.

(Don't worry about citing me examples of canned distros that have already upgraded or whatever, I was just speaking in general.)

Canned distributions?

I am using Ubuntu 8.04 "Hardy Heron" (Alpha 4), and I do occasionally get kernel updates via the Update Manager.

Not sure if kernel updates are available for Ubuntu 7.04 "Feisty Fawn" though, since its a stable release.

When I used Slackware couple years ago, there used to be pre-compiled kernel binaries available from the FTP in the Slackware-current/ directory.

Back then I used to compile my own kernels from source too, it was fun, interesting and for a geek like me not difficult.

But it was in the 2.4 series of the kernels on Slackware, I haven't bothered to compile the 2.6 series yet, or tried it on Ubuntu.

$ uname -a

Linux ubuntu 2.6.24-8-generic #1 SMP Thu Feb 14 20:40:45 UTC 2008 i686 GNU/Linux