No ELF Vulnerability in 2.6 Kernel

← Back to Stories (view on slashdot.org)

No ELF Vulnerability in 2.6 Kernel

Posted by Hemos on Monday May 30, 2005 @03:10AM from the good-news-bear dept.

gaijincory writes "Greg KH, the co-maintainer of the 2.6 kernel has posted a comment on lwn.net confirming that there is indeed no such ELF vulnerability as spelled out by Paul Starzetz on isec. The bug was originally thought to be particularly nasty, allowing a malicious user to gain elevated privileges using a carefully crafted binary which would exploit the kernel's Executable and Linking Format. The bug's author confirmed that no one has been able to repro the exploit."

10 of 86 comments (clear)

Min score:

Reason:

Sort:

No ELF vulnerability eh? by NightWulf · 2005-05-30 03:13 · Score: 4, Funny

What about the DWARF and GNOME vulnerabilities though? Eh where's your answer now Greg?
1. Re:No ELF vulnerability eh? by tanek · 2005-05-30 03:52 · Score: 2, Funny
  
  Aw come on, don't be such a TROLL.
2. Re:No ELF vulnerability eh? by maxwell+demon · 2005-05-30 04:14 · Score: 1, Funny
  
  Well, let's see if I can get a cheap Karma, too :-) (However I guess it will just end up Funny with several Overrateds ...)
  
  GNOME (GNU Network Object Model Environment) is a desktop environment.
  
  GNU of course is short for GNU's Not Unix, so the second-level expansion of GNOME is GNU's Not Unix Network Object Model Environment. Which indeed is a true statement, since GNU indeed is no Unix Network Object Model Environment.
  
  Of course recursive expansion of GNU does no good. GNU's Not Unix Not Unix doesn't make much sense. GNU's Not Unix Not Unix Network Object Model Environment doesn't sound any better.
  
  BTW, are there any GNU vulnerabilities in the Linux kernel? You know, I'd not like to have a wounded GNU in my computer. It would only give me trouble with the animal welfare activists. Of course DWARF vulnerabilities could cause trouble with Amnesty International, so it's also something you really want to check.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
3. Re:No ELF vulnerability eh? by CamilaAcolide · 2005-05-30 04:32 · Score: 4, Funny
  
  Ahhh, just like old times... "MY DWARF IS GONNA DEBUG THAT ELF!" "OK, ROLL 1D20" ... "YOU MISSED, THAT ELF HAS NO VULNERABILITIES!!"
The bug's author? by Looke · 2005-05-30 03:24 · Score: 5, Funny

Who's "the bug's author"? He who discovered it or he who wrote the code?
"I'm a bug author. Today I've written five bugs!" Sounds like a nice career choice ...
Huh by Anonymous Coward · 2005-05-30 03:30 · Score: 1, Funny

"The bug's author confirmed that no one has been able to repro the exploit"

That's really comforting.
Re:Why so confident? by caluml · 2005-05-30 03:35 · Score: 2, Funny

I made it work by running:

# echo 992FE4:336FF00 > /dev/kmem
as root.

--
Get your own free personal location tracker
As an Elf... by Zakabog · 2005-05-30 04:04 · Score: 4, Funny

Speaking for myself, and elves everywhere, this is great news. I can finally use my favorite OS without worrying about any attacks I'm opening myself to.
Re:Why so confident? by maxwell+demon · 2005-05-30 04:32 · Score: 4, Funny

Hmmm ... this gives me an idea. You can extend a file from the shell by using the >> operator on it. Maybe I might be able to double my memory for free by just doing cat /dev/kmem >> /dev/kmem.

This technique could have other uses as well. Your hard disk is too small? Well, double your hard disk space with cat /dev/hda >> /dev/hda. You can even make a floppy as large as your hard disk by typing cat /dev/hda >> /dev/fd0!

Well, actually I think I'll make my main memory and disks grow infinitely:

cat /dev/zero >> /dev/kmem & cat /dev/zero >> /dev/hda &

SCNR :-)

--
The Tao of math: The numbers you can count are not the real numbers.
Re:Why so confident? by caluml · 2005-05-30 05:13 · Score: 2, Funny

Instead of bothering with your whole disk, if you just upgrade the first 512 bytes of the disk, you get the same effect. Try
dd if=/dev/zero of=/dev/hda bs=1 count=512
Of course, I don't recommending doing anything you learnt from a webpage unless you fully understand what it does.

--
Get your own free personal location tracker