[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Backport of the integer overflow in the brk system call

Frederik Dannemare <tux@sentinel.dk> wrote:
> just curious: any particular reason why we didn't see a backport any sooner of 
> the integer overflow in the brk system call (see recent announcement by 
> Wichert Akkerman: 
> http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00212.html) 
> like we did with the ptrace issue some time back?

> Wasn't it (the brk vuln) considered to be threatening enough to justify a 
> quick fix, or was it because the fix by Andrew Morton didn't say (kerne 
> changelog) enough about the potential seriousness of the vuln, or?

Apparently nobody knew it was comparable to ptrace, it looked like a
simple bugfix and not like a local root exploit.

| Robert van der Meulen managed to decrypt the binary which revealed
| a kernel exploit.
                   cu andreas

Reply to: