Slashdot Mirror


Bug In Most Linuxes Can Give Untrusted Users Root

Red Midnight and other readers brought to our attention a bug in most deployed versions of Linux that could result in untrusted users getting root access. The bug was found by Brad Spengler last month. "The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable. While attacks can be prevented by implementing a common feature known as mmap_min_addr, the RHEL distribution... doesn't properly implement that protection... The... bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature. ... [Spengler] said many other Linux users are also vulnerable because they run older versions or are forced to turn off [mmap_min_addr] to run certain types of applications." The register reprints a dialog from the OpenBSD-misc mailing list in which Theo De Raadt says, "For the record, this particular problem was resolved in OpenBSD a while back, in 2008. We are not super proud of the solution, but it is what seems best faced with a stupid Intel architectural choice. However, it seems that everyone else is slowly coming around to the same solution."

2 of 281 comments (clear)

  1. Re:So? by yttrstein · · Score: 1, Troll

    I say "I'd rather pay nothing for bugs like this than $400 for all the same borkedness in Server 2008"

  2. Re:So? by morgauxo · · Score: 1, Troll

    I could say "The... bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature."

    I could compare the average time to fix a critical bug between the two platforms.

    I could point out that we will never know what bugs Microsoft is sitting on without reporting.

    I could point out how Windows servers just don't seem to work well if they aren't rebooted regularly while Linux boxes just seem to go until the hardware wears out.

    I could point out that my wife's Vista box is 2 to 4 times faster than my Gentoo box in just about all hardware stats and yet I usually get about 10 times the framerate in games with 3D graphics.

    I could point out all the hardware (printers, scanners, etc...) my Windows using friends and relatives threw out because there were no Vista drivers.

    I could point out the ease of installing software with a good package manager.

    I talk about the wealth of free software available for Linux (yes, some of it has Windows ports)

    I could mention the price of Windows, or the prices of most of the popular software that most Windows users claim they need Windows for. (not really relevant when most people pirate it anyway though)

    I might go on and on telling all sorts of true stories about Windows vs Linux but who would really want to read them.