Re: Backport of the integer overflow in the brk system call

To: debian-devel@lists.debian.org
Subject: Re: Backport of the integer overflow in the brk system call
From: Andreas Metzler <ametzler@downhill.at.eu.org>
Date: Tue, 02 Dec 2003 10:08:03 +0100
Message-id: <[🔎] E1AR6Vn-0001YY-Vx@mid.downhill.at.eu.org>
Mail-followup-to: <debian-devel@lists.debian.org>
References: <[🔎] 3FCBCF99.3000907@sentinel.dk>

Frederik Dannemare <tux@sentinel.dk> wrote:
> just curious: any particular reason why we didn't see a backport any sooner of 
> the integer overflow in the brk system call (see recent announcement by 
> Wichert Akkerman: 
> http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00212.html) 
> like we did with the ptrace issue some time back?

> Wasn't it (the brk vuln) considered to be threatening enough to justify a 
> quick fix, or was it because the fix by Andrew Morton didn't say (kerne 
> changelog) enough about the potential seriousness of the vuln, or?

Apparently nobody knew it was comparable to ptrace, it looked like a
simple bugfix and not like a local root exploit.

| Robert van der Meulen managed to decrypt the binary which revealed
| a kernel exploit.
                   cu andreas

Reply to:

Follow-Ups:
- Re: Backport of the integer overflow in the brk system call
  - From: Tom <tb.31123.nospam@comcast.net>
- Re: Backport of the integer overflow in the brk system call
  - From: Andrew Pollock <debian-lists@andrew.net.au>

References:
- Backport of the integer overflow in the brk system call
  - From: Frederik Dannemare <tux@sentinel.dk>

Prev by Date: Re: Revival of the signed debs discussion
Next by Date: Re: [debian-devel] Re: Bits from the RM
Previous by thread: Re: Backport of the integer overflow in the brk system call
Next by thread: Re: Backport of the integer overflow in the brk system call
Index(es):
- Date
- Thread