[DSA 1494-1] Missing update for user-mode-linux (was: [SECURITY] [DSA 1494-1] New linux-2.6 packages fix privilege escalation)

To: debian-security@lists.debian.org
Subject: [DSA 1494-1] Missing update for user-mode-linux (was: [SECURITY] [DSA 1494-1] New linux-2.6 packages fix privilege escalation)
From: Nicolas Boullis <nicolas.boullis@ecp.fr>
Date: Tue, 12 Feb 2008 16:09:00 +0100
Message-id: <[🔎] 47B1B68C.7050408@ecp.fr>
In-reply-to: <87d4r3fvcg.fsf@mid.deneb.enyo.de>
References: <87d4r3fvcg.fsf@mid.deneb.enyo.de>

Hi,

The update for DSA 1494-1 lacks an update for the user-mode-linux package.
Note that I tried the exploit found in the wild. It worked fine with the
standard linux-image-2.6.18-6-686 kernel, but lead to a crash both in my
user-mode-linux virtual servers and with the
linux-image-2.6.18-6-686-bigmem. I guess it is possible to adapt the
exploit for those kernels, but I have not tried.

I tried to rebuilt user-mode-linux, using the updated source. Using this
new user-mode-linux kernel, the same exploit just fails, as it does on
an up-to-date kernel.

I think this package deserves an official upgrade.


Cheers,

Nicolas

Reply to:

Follow-Ups:
- Re: [DSA 1494-1] Missing update for user-mode-linux (was: [SECURITY] [DSA 1494-1] New linux-2.6 packages fix privilege escalation)
  - From: Noah Meyerhans <noahm@debian.org>

Prev by Date: default tripwire policy
Next by Date: Re: [DSA 1494-1] Missing update for user-mode-linux (was: [SECURITY] [DSA 1494-1] New linux-2.6 packages fix privilege escalation)
Previous by thread: default tripwire policy
Next by thread: Re: [DSA 1494-1] Missing update for user-mode-linux (was: [SECURITY] [DSA 1494-1] New linux-2.6 packages fix privilege escalation)
Index(es):
- Date
- Thread