[DSA 1494-1] Missing update for user-mode-linux (was: [SECURITY] [DSA 1494-1] New linux-2.6 packages fix privilege escalation)
- To: firstname.lastname@example.org
- Subject: [DSA 1494-1] Missing update for user-mode-linux (was: [SECURITY] [DSA 1494-1] New linux-2.6 packages fix privilege escalation)
- From: Nicolas Boullis <email@example.com>
- Date: Tue, 12 Feb 2008 16:09:00 +0100
- Message-id: <47B1B68C.firstname.lastname@example.org>
- In-reply-to: <email@example.com>
- References: <firstname.lastname@example.org>
The update for DSA 1494-1 lacks an update for the user-mode-linux package.
Note that I tried the exploit found in the wild. It worked fine with the
standard linux-image-2.6.18-6-686 kernel, but lead to a crash both in my
user-mode-linux virtual servers and with the
linux-image-2.6.18-6-686-bigmem. I guess it is possible to adapt the
exploit for those kernels, but I have not tried.
I tried to rebuilt user-mode-linux, using the updated source. Using this
new user-mode-linux kernel, the same exploit just fails, as it does on
an up-to-date kernel.
I think this package deserves an official upgrade.