Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory
Adam ENDRODI wrote:
> Just a humble question: how the average user who doesn't use the
> kernel sources provided by Debian and cannot follow lk should have
> known about the bug? The changelog read ``Add TASK_SIZE check to
> do_brk()'', there's no indication that it's a security fix.
> I'm really curious how you cope with it.
Usually, kernel security issues are resolved in the following way:
* bugs are discovered
* some vendor is notified (it used to be a Red Hat employee)
* all active branches are fixed in BK, with cryptic log messages
* vendors prepare release
* next official stable kernel is released
* vendors release advisories
* now it's clear that the official release contains security fixes
Keep in mind that there is no official security contact for the kernel,
and no established bug handling procedure. Time to fix is now measured
in months, and official kernel release schedules do not take security
issues into account (nowadays, not even critical data loss mandates a
coordinated emergency release).
In short: Don't run official, unpatched kernels. Use vendor kernels.