Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory
Quoting Adam ENDRODI (borso@vekoll.saturnus.vein.hu):
> Just a humble question: how the average user who doesn't use the
> kernel sources provided by Debian and cannot follow lk should have
> known about the bug? The changelog read ``Add TASK_SIZE check to
> do_brk()'', there's no indication that it's a security fix.
>
> I'm really curious how you cope with it.
Oh, it gets worse than that. In this case, at least Andrew Morton
noticed the memory-management bug (September), and Marcelo sent in a
patch (2003-10-02). Sure, nobody (except a black hat) realised the
security implications, but at least a patch existed. You also have to
worry about bugs that _only_ black hats have discovered and that they've
figured out how to exploit.[1]
That's part of why klecker, murphy, and gluck were running AIDE. Also,
sysadmins were alert enough to notice master and murphy showing
suspciously similar kernel-oops symptoms.
So, there you have two of the ways that people cope: (1) Attentive
sysadmins, and (2) well-configured and monitored IDSes.
[1] Not to mention use of security tokens stolen from compromised
remote systems:
http://linuxmafia.com/faq/Security/breakin-without-remote-vulnerability.html
See also Wichert's very canny list of recommendations at the bottom of
http://www.wiggy.net/debian/developer-securing/
--
Cheers, find / -user your -name base -print | xargs chown us:us
Rick Moen
rick@linuxmafia.com
Reply to: