5-Year-Old Linux Kernel Bug Fixed

← Back to Stories (view on slashdot.org)

5-Year-Old Linux Kernel Bug Fixed

Posted by Soulskill on Tuesday May 13, 2014 @09:55AM from the must-have-been-union dept.

rastos1 sends in a report about a significant bug fix for the Linux kernel (CVE-2014-0196). "'The memory-corruption vulnerability, which was introduced in version 2.6.31-rc3, released no later than 2009, allows unprivileged users to crash or execute malicious code on vulnerable systems, according to the notes accompanying proof-of-concept code available here. The flaw resides in the n_tty_write function controlling the Linux pseudo tty device. 'This is the first serious privilege escalation vulnerability since the perf_events issue (CVE-2013-2049) in April 2013 that is potentially reliably exploitable, is not architecture or configuration dependent, and affects a wide range of Linux kernels (since 2.6.31),' Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars in an e-mail. 'A bug this serious only comes out once every couple years.' ... While the vulnerability can be exploited only by someone with an existing account, the requirement may not be hard to satisfy in hosting facilities that provide shared servers, Rosenberg said."

127 comments

Min score:

Reason:

Sort:

This is the problem with Linux Security by metrix007 · 2014-05-13 10:00 · Score: 3, Insightful

Linux and Greg K-H have both gone on record saying that security issues are just another type of bug, and don't deserve any type of special treatment.
This is crap. A bug that allows remote code execution or even a DoS is a much, much bigger issues than fixing the user experience or minor stability issues.
When you don't assign the significant to security issues that they deserve, they go unpatched for 5 years.
It's kind of a concern.

--
If you ignore ACs because they are anonymous - you're an idiot.
1. Re:This is the problem with Linux Security by metrix007 · 2014-05-13 10:04 · Score: 3, Interesting
  
  To expand on this, not only do they not assign security bugs the priority they deserve, they actively hide them.
  http://arstechnica.com/securit...
  FWIW, I love Linux and used Slackware for almost a decade.
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
2. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 10:06 · Score: 5, Interesting
  
  Well it can't be patched before it was discovered but you seem to be implying this issue was known about 5 years ago.
  How long from when it was discovered did it take to be patched?
3. Re:This is the problem with Linux Security by waddgodd · 2014-05-13 10:13 · Score: 1, Insightful
  
  Well, in a normal situation, I'd say yes, but Linux's response to all bugs is similar, patch it as soon as there's a good patch. Now if it were a certain company in Redmond that scales its response based on customer "value", yeah, security bugs had best get fast-tracked. I honestly prefer the "fix all bugs and don't embargo fixes" response that linux does to the "when we discover bugs (heartbleed), we'll let the Cool Kids in on it first and then release it weeks later to the average user" response that Google does
  
  --
  Just because you're paranoid doesn't mean they aren't out to get you
4. Re:This is the problem with Linux Security by fizzer06 · 2014-05-13 10:22 · Score: 0
  
  Linux and Greg K-H have both gone on record
  
  Who is "Linux"?
5. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 10:28 · Score: 0
  
  Linux and Greg K-H have both gone on record saying that security issues are just another type of bug, and don't deserve any type of special treatment.
  This is crap. A bug that allows remote code execution or even a DoS is a much, much bigger issues than fixing the user experience or minor stability issues.
  When you don't assign the significant to security issues that they deserve, they go unpatched for 5 years.
  It's kind of a concern.
  That is why they have something called "priority" in bug. Now if you say "Dos" which is high impact bug then yes it set to high priority. Thats it. This doesn't mean you have to fix this bug first than fixing a critical kernel crash that you get everytime you login. Now priority number is the decider which goes first. Well if they are messing with that, then you are right it is crap!
6. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 10:30 · Score: 0
  
  Depends on your situation right? Performance glitches and stability issues are a killer compared to security issues, when I cruise my linux-based spacecraft through a cloud of astroids near the speed of light..
7. Re:This is the problem with Linux Security by naasking · 2014-05-13 10:30 · Score: 1
  
  A bug that allows remote code execution or even a DoS is a much, much bigger issues than fixing the user experience or minor stability issues.
  I agree security vulnerabilities are worse than simple bugs. However DoS is not. Our entire network infrastructure is already vulnerable to DoS, so vulnerabilities of this sort are just par for the course really.
  
  --
  Higher Logics: where programming meets science.
8. Re:This is the problem with Linux Security by Wonko+the+Sane · 2014-05-13 10:44 · Score: 3, Interesting
  
  If the kernel developers allowed bugs to be clearly marked as security vunerabilities, then it would be trivial to use the Git commit history to identify the individuals who are merging these exploits into the kernel.
9. Re:This is the problem with Linux Security by Microlith · 2014-05-13 11:07 · Score: 3, Insightful
  
  It's already trivial to do that. What would "clearly marking them as security vulnerabilities" gain?
10. Re:This is the problem with Linux Security by wisnoskij · 2014-05-13 11:09 · Score: 3, Interesting
  
  I completely disagree. The reason I use a OS is because its features work and it doe snot crash all the time, I could not care less if it were 1% more secure.
  
  --
  Troll is not a replacement for I disagree.
11. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 11:09 · Score: 0
  
  Well I'm glad _someone_ has RTLinux working for them...
12. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 11:11 · Score: 5, Funny
  
  You know, Linux Torvaldx ix the guy who firxt xtarted writing the Linux kernel. He'x pretty famoux. I'm xurprixed you've never heard of him.
13. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 11:13 · Score: 0
  
  Except *most* kernel bugs can be turned into security issues. Bugs in a kernel are much more far-reaching than bugs in userspace. You are also implying that it took fives year to patch, which is not true: it was introduced five years ago but only discovered at the end of last month (http://www.openwall.com/lists/oss-security/2014/05/05/6).
14. Re:This is the problem with Linux Security by jcochran · 2014-05-13 11:19 · Score: 1, Troll
  
  The GIT entry for the bug was entered Dec 3, 2013. So that means at a minimum, the bug was known of and not fixed for 5 months. That's a bit excessive for 'A bug this serious only comes out once every couple years' kind of bug. I'll agree that 5 months is a lot shorter than 5 years, but it's still far too long.
15. Re:This is the problem with Linux Security by jcochran · 2014-05-13 11:22 · Score: 0
  
  Might want to check the GIT report again. To quote: ... which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings. ...
  Notice that the bug permitted an easy denial of service attack. And with more effort a privilege elevation.
16. Re:This is the problem with Linux Security by jcochran · 2014-05-13 11:34 · Score: 0
  
  Look at the GIT entry. It was entered Dec 3, 2013. A few months earlier than "end of last month". Also the disclaimer on the GIT entry means that the bug could have been discovered even earlier, so the Dec 3 date is merely a "no later than" boundary on the discovery date.
17. Re:This is the problem with Linux Security by ilotgov · 2014-05-13 11:52 · Score: 1
  
  Who is Linux agian?
18. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 11:52 · Score: 1
  
  And by "GIT entry" you mean "CVE entry", which clearly says "Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE."
  Look at the CVE entry. None of linked documents are earlier than last month.
19. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 11:55 · Score: 3, Interesting
  
  Was it? Where? The git commit linked in the article is for 2014-05-03. Given the number of fixes and revisions this patch went through, one has to actually hunt it down in the MLs to know.
  So, can you please point us to the source of your information?
20. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 11:56 · Score: 0
  
  Which git entry do you mean? All git links are dated May.
21. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 11:58 · Score: 0
  
  I'm looking at it, and it says 2014-05-03. That's 3rd May 2014, for the braindamaged.
  So you must be looking at some other git tree. Which one?
22. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 11:59 · Score: 2, Informative
  
  There's no such thing as "GIT report" mentioned anywhere here, only GIT commits and they're too recent...
  Did you mean CVE? CVEs reservation dates don't correspond with bug discovery date - for example, CVE numbered one less than this one is not even created yet, but it lists the same "20131203" reservation date.
23. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 12:25 · Score: 0
  
  Rofl!...made my day thx.
24. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 12:33 · Score: 0
  
  :*) "snot crash" +1 awesome typo
25. Re:This is the problem with Linux Security by metrix007 · 2014-05-13 12:39 · Score: 0, Troll
  
  Given that the people in charge don't tend to disclose security vulnerabilities and actively hide them, it's difficult to say how long it was known for.
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
26. Re:This is the problem with Linux Security by metrix007 · 2014-05-13 12:41 · Score: 2, Interesting
  
  You should read up some more on the clash between security professionals and the Linux maintainers.
  Some bugs are more critical than others, and hiding them not to get negative attention or (rightfully) be pressured to fix them is pretty bad.
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
27. Re:This is the problem with Linux Security by metrix007 · 2014-05-13 12:42 · Score: 0
  
  If you're going to be so anal to question an obvious typo, I guess I could ask what the point of your post is, as it only contains quotes.
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
28. Re:This is the problem with Linux Security by metrix007 · 2014-05-13 12:45 · Score: 0
  
  If you can't tell who was meant from the context, you should probably head on over to some other, simpler website. Perhaps Mac Rumors.
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
29. Re:This is the problem with Linux Security by naasking · 2014-05-13 13:00 · Score: 1
  
  I'm not referring to any specific DoS, just DoS as a general class aren't necessarily security vulnerabilities, ie. specific DoS vulnerabilities might also be security vulnerabilities, but being a DoS vulnerability does not automatically also make it a security vulnerability.
  
  --
  Higher Logics: where programming meets science.
30. Re:This is the problem with Linux Security by metrix007 · 2014-05-13 13:23 · Score: 1
  
  Stability and security are not mutually exclusive.
  Although if you care about stability, then you should also care about security since many malicious attacks can affect stability.
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
31. Re:This is the problem with Linux Security by dreamchaser · 2014-05-13 14:09 · Score: 1
  
  Any bug that allows a remote attacker to compromise a system, be it stealing data or denial of service, is a security vulnerability. All DoS vulnerabilities are security vulnerabilities by definition.
32. Re:This is the problem with Linux Security by phantomfive · 2014-05-13 14:18 · Score: 1
  
  A bug that allows remote code execution or even a DoS is a much, much bigger issues than fixing the user experience or minor stability issues.
  You are right, but it doesn't apply in this case. This was a privilege-escalation exploit, which means you already need an account on the computer to do anything.
  
  It's still a problem and I'm willing to bet there are more of these in the Linux kernel, just because they're so tough to clean out.
  
  --
  "First they came for the slanderers and i said nothing."
33. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 14:24 · Score: 0
  
  Can you provide a link to that, please.
34. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 14:27 · Score: 0
  
  You're actively trolling now. Why?
35. Re:This is the problem with Linux Security by kwbauer · 2014-05-13 14:48 · Score: 0, Troll
  
  According to all the hype about FOSS, it should have been discovered by all those thousands of pairs of eyes before it ever shipped so it should have been fixed at least five years ago, according to all that hype.
36. Re:This is the problem with Linux Security by kwbauer · 2014-05-13 14:53 · Score: 0, Troll
  
  but this is open source and open-source proponents have always claimed in the past that the advantage of open-source is that the bugs are discovered by the thousands of pairs of eyes before they ship. So the truth is that this bug was discovered five years ago but not fixed. Either that or there is no inherent security advantage to open-source. Which falsehood have you been telling all these years, boys?
37. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 14:57 · Score: 0
  
  You are ridiculously wrong. This bug would not have been fixed any faster by having an explicit "security bug" classification. The devs did not let it sit around known-but-unfixed until someone created an exploit, the way some vendors do it. It is a very good thing that linux takes all bugs seriously, not just the few that some researcher decides are special.
38. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 15:06 · Score: 0
  
  Linux and Greg K-H have both gone on record saying that security issues are just another type of bug, and don't deserve any type of special treatment.
  That's actually half correct. The OpenBSD guys consider bugs to be exploits that haven't been discovered yet.
39. Re:This is the problem with Linux Security by waddgodd · 2014-05-13 15:29 · Score: 0
  
  Don't see where your flamebait actually changes anything. It certainly provides nothing new, because you can say "they're rude" all day, the question is is the bug in question fixed, and when. Yes, the chances are very good that a bug submitter is going to get a "patch or GTFO" response. In the overall scheme of things, I'd say that's as good as can be expected, given many other groups respond with legal threats.
  
  --
  Just because you're paranoid doesn't mean they aren't out to get you
40. Re:This is the problem with Linux Security by Bite+The+Pillow · 2014-05-13 15:31 · Score: 1
  
  Your argument does not convince. Why reserve a CVE Id and sit on it for six months? Maybe there is a reason, I'm not familiar with how CVE internals work. Your argument is pointless without more support. Sounds like you don't understand the system you defend, which seems rather silly.
41. Re:This is the problem with Linux Security by metrix007 · 2014-05-13 15:42 · Score: 1
  
  Excuse me, but what flamebait? I did not insult you or your argument, instead I made a valid counter argument.
  Oh, and my point wasn't that the maintainers are rude. My point is that the security industry keeps insisting the the Linux team practice responsible disclosure, and they keep arguing there is no need or benefit.
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
42. Re:This is the problem with Linux Security by metrix007 · 2014-05-13 15:44 · Score: 1
  
  The examples I used in my post were just that, examples. They were not meant to be specific to this story, as I think the issue is greater than just this story.
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
43. Re:This is the problem with Linux Security by MadTinfoilHatter · 2014-05-13 15:51 · Score: 1
  
  A bug that allows remote code execution or even a DoS is a much, much bigger issues than fixing the user experience or minor stability issues.
  May be. But this particular bug does not allow remote anything. It requires a local malicious user. PFTFCVELITS (Please Follow The Fine CVE Link In The Summary)
44. Re:This is the problem with Linux Security by Bryan+Ischo · 2014-05-13 16:01 · Score: 4, Insightful
  
  Taking off-topic potshots against FOSS in response to a misinformed post which incorrectly describes the date of the bug report in response to a post which inaccurately maligns the attitude of kernel developers towards security bugs?
  For fuck's sake, we're three levels deep in FUD here. Someone throw me a rope so I can pull myself out of this quagmire of bullshit.
45. Re:This is the problem with Linux Security by fizzer06 · 2014-05-13 16:03 · Score: 1
  
  My post contained the question.
46. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 16:18 · Score: 0
  
  agian? in a four word post complaining about a typo?
47. Re:This is the problem with Linux Security by tlhIngan · 2014-05-13 16:51 · Score: 1
  
  This was a privilege-escalation exploit, which means you already need an account on the computer to do anything.
  Any account would do. Even say, "nobody".
  All you need is the ability to run an arbitrary binary, which a buggy CGI script is more than adequate. Basically, if you have a bit of shellcode, that's sufficient. Once you have that going, then you can easily exploit your way to more priviledges.
  That said, for the time being we now have a good way to root our Android phones.
48. Re:This is the problem with Linux Security by phantomfive · 2014-05-13 17:33 · Score: 1
  
  That said, for the time being we now have a good way to root our Android phones.
  .......until you reboot. Unless you can get at the bootloader.
  
  --
  "First they came for the slanderers and i said nothing."
49. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 18:03 · Score: 0
  If the kernel developers allowed bugs to be clearly marked as security vunerabilities, then it would be trivial to use the Git commit history to identify the individuals who are merging these exploits into the kernel.
  It's very very hard to define a "security bug" in the kernel (though it has to be done). Almost any odd behaviour can be exploited by sending a set of instructions which works differently in the place of a bug. An application can be relying on almost anything a computer does any unexpected behaviour could cause a problem. What is a huge problem on a server (like this) might not be a security bug on an embedded system which has not. The opposite is also true. A failure to beep on demand from the TTY could turn stop a fire alarm working. The kernel is never a complete system. I doubt the majority of Linux users (on Android) are affected in any way.
  So; let's be clear what we want so that Linus cannot pretend that there is no answer. We do not want all security bugs to be reported since we don't know which they are. What we want is policy that Linux kernel maintainers have to agree to (and voluntarily for everyone else). It should go something like this/
  There should be a list in the latest kernel source of Linux vendor security contacts for vendors who agreed to act "responsibly" (to be defined by that group with Linus having a veto)
  At the moment that someone realises that a bug in the kernel could be used by one group to harm a specific other group of people then they should contact the security contact of one (any will do - if they fail to act "responsibly" they are removed from the "responsible" group) of the vendors affected.
  If there is a git checkin already committed then they should be told about it. If not, they should be given any information available about exploits, patches etc.
  There should be a (minimal) delay available to allow those vendors to prepare for any public release; subject to the agreement of the person who identified the security vulnerability.
  During the delay any patches should only be passed up in the maintainer tree in the direction of Linus and be held in private repos and should always be copied to the security contact. At the end of the delay
  A maximum suggested limit of e.g. five days delay on patches with fixes being published.
  That's it. Nothing complex. Nothing even requiring much work from the maintainers (since they hand everything extra on to the security contacts). Just a simple declaration that, if we know about it we will report it to the vendors. It would be nice if the communication was secure and encrypted. The vendors should list their security contact GPG keys in the kernel source.
50. Re:This is the problem with Linux Security by Barsteward · 2014-05-13 18:31 · Score: 1
  
  i could accuse you of the same thing.. " I'm not familiar with how CVE internals work, my argument is pointless without more support." fixed it for you..
  
  --
  "The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
51. Re:This is the problem with Linux Security by jones_supa · 2014-05-13 18:43 · Score: 1
  
  Although if you care about stability, then you should also care about security since many malicious attacks can affect stability.
  True, but most stability problems do not stem from malicious attacks.
52. Re:This is the problem with Linux Security by jones_supa · 2014-05-13 18:49 · Score: 0
  
  Ahoy, mod parent up. That's an important distinction. In addition to the claimed "eyes searching for bugs", there's already a sea of bugs that have been found and properly reported, but they get fixed slowly. Some of these are critical bugs. Now someone comes to say "you ignore the fact that proprietary software is no better". And it isn't! But the claim that bugs get fixed quickly in OSS is not true. It's a myth, just like the eyeballs thing.
53. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 18:49 · Score: 0
  
  No, cunt, it contained nested quotes. Fuck yourself to death with a red hot poker.
54. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 19:26 · Score: 0
  
  > I'm not familiar with how CVE internals work
  Why are you even arguing here, then?
  CVE IDs are assigned by a number of CVE numbering authorities. This includes Mitre itself plus big software companies like MS and Red Hat, plus few extras. Each authority requests pools of CVE IDs to assign from Mitre. Year in CVE ID is the year of original bug report, which blows up the "sat on it for 6 months" theory.
  Here's that initial bug report referenced in CVE. Note how it says: "Date: Mon, 5 May 2014 12:08:11 +0200 [snipped message to oss-security list] CVE-2014-0196 has been assigned to this issue. [snipped] Date: Tue, 29 Apr 2014 12:38:36 -0400 [snipped original bug report and patch] We, at suse, would appreciate embargo till Mon May 5th."
  That is, discovered and reported with a patch at 140429, then published at 140505 with an ID from SUSE's pool reserved at 131203.
  HTH, HAND.
  PS: Hearbleed is also from 131203 IDs batch, as well as at least 323 others this year.
55. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 19:42 · Score: 0
  
  Linux and Greg K-H have both gone on record saying that security issues are just another type of bug, and don't deserve any type of special treatment.
  This is crap. A bug that allows remote code execution or even a DoS is a much, much bigger issues than fixing the user experience or minor stability issues.
  Go look at the alternative. At least one other OS treats security issues as features and keep them rather than fix them.
  The same OS also keeps bugs because of backwards compatibility.
  Security issues are bugs and should be handled as those.
56. Re:This is the problem with Linux Security by The123king · 2014-05-13 20:37 · Score: 2
  
  Bugs can be ancient. anyone remember that Windows VDM bug that affected every version of Windows based on NT? How is this bug different?
  
  Bugs have to be found, you can't expect every bug to just be easy to find. That's how things like Heartbleed, and the VDM bug don't get discovered for years. I'm sure there's probably bugs almost as old as Linux itself in the kernel, and i'm almost certain there's bugs in Windows affecting everything from 3.1 up.
  
  But yes, i'd be very suprised if this bug was reported 5 years ago. It's not unheard of in the Linux world, but it really shouldn't be happening, and thankfully happens rarely (and when it does, Slashdot has a field day)
  
  --
  If you gave me a choice between a printer and a giraffe with explosive diarrhoea, i'll get my ladder and my raincoat
57. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 21:02 · Score: 0
  
  , we're three levels deep in FUD here. Someone throw me a rope so I can pull myself out of this quagmire of bullshit.
  It would be easier for you to get out of the bullshit if you weren't busy adding to it yourself. Sink.
58. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 21:17 · Score: 0
  
  This particular vulnerability permits root privilege escalation or a local DoS attack, depending on the specific exploit code leveraged. Learn to fucking read before commenting on serious issues, you fucking idiot. Seriously, go get a good fucking night's rest and read the following words out loud as soon as you wake up: "I will not make public statements on things I don't fucking understand." Afterward, feel free to have a great fucking day, but until then, go fuck yourself. Cheers.
59. Re:This is the problem with Linux Security by Threni · 2014-05-13 22:01 · Score: 1
  
  > This is crap. A bug that allows remote code execution or even a DoS is a much,
  > much bigger issues than fixing the user experience or minor stability issues.
  You're not a security professional. You should have to put that in your sig file. The linux kernel is used in many different situations, and clearly some security problems only pose a risk in some of those situations. IE. a lot of embedded systems will never be vulnerable to this particular issue.
  A bug is a bug. All bugs should be triaged and then treated accordingly. You don't pretend a bug is more important because security is the flavour of the month.
60. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 23:12 · Score: 0
  
  You're an idiot. Any remote vulnerability that permits arbitrary code execution in the context of an unprivileged account is highly likely to serve as a vector for root privilege escalation if the payload exploits this vulnerability. Please get a goddamned education in these matters before further polluting the discourse with idiotic minimization of the risk at hand. Thanks!
61. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-13 23:50 · Score: 0
  
  Does the "nobody" account still exist on any recent distro? I mean it's probably 10 years ago that people realized the stupidity of having a user named "nobody", with access to critical services.
  Even without a privilege escalation attack, an attacker could get in through on bugge service running as nobody, and gain access to all the other services, including Apache (which I believe was the original "owner" of the nobody user, before everybody else started using it).
62. Re:This is the problem with Linux Security by Eunuchswear · 2014-05-13 23:53 · Score: 1
  
  Yes, the chances are very good that a bug submitter is going to get a "patch or GTFO" response.
  Not my experience. If you report a serious bug wirth enough supporting information it's quite likely someone else will propose a patch.
  
  --
  Watch this Heartland Institute video
63. Re:This is the problem with Linux Security by Wootery · 2014-05-14 00:24 · Score: 1
  
  A bug is a bug. All bugs should be triaged and then treated accordingly. You don't pretend a bug is more important because security is the flavour of the month.
  But a bug which can be exploited to give a security hole necessarily deserves a high priority, no?
  
  You're not a security professional
  
  don't pretend a bug is more important because security is the flavour of the month
  A bug which enables a remote attacker to compromise a server is necessarily a serious one, no? I really don't get what your point is with this flavour of the month thing.
64. Re:This is the problem with Linux Security by naasking · 2014-05-14 00:53 · Score: 1
  
  You're missing the point: our network infrastructure is already DoS vulnerable. A remote DoS is just another drop in a full pool. To suggest that a DoS vulnerability "compromises" the remote system doesn't seem justified.
  
  --
  Higher Logics: where programming meets science.
65. Re:This is the problem with Linux Security by metrix007 · 2014-05-14 00:56 · Score: 2, Interesting
  
  The OP does not inaccurately malign the attitude of the kernel develops towards security bugs. Their stance is widely known.
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
66. Re:This is the problem with Linux Security by metrix007 · 2014-05-14 00:57 · Score: 1
  
  It contained nested quotes. I see no text that can be attributed to you.
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
67. Re:This is the problem with Linux Security by metrix007 · 2014-05-14 01:00 · Score: 0
  
  Actually, I am a security professional, working for one of the largest security companies in the industry.
  It's clear you are not however.
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
68. Re:This is the problem with Linux Security by kwbauer · 2014-05-14 05:11 · Score: 1, Informative
  
  Fact: FOSS proponents extremely frequently in the past claimed that OSS was security issue free because of all the review of the code that was happening.
  Fact: The code shipped 5 years ago according to the story.
  Fact: The story is about a security issue that shipped.
  Therefore, pointing out that the proponents of FOSS are full of shit because a bug shipped is not off-topic for a story about a bug shipping in open-source software.
  I was simply posting that the argument about when the bug was first reported is irrelevant as the OSS claim is that all bugs are found and fixed before ever shipping.
69. Re:This is the problem with Linux Security by Mathinker · 2014-05-14 06:38 · Score: 1
  
  > Actually, I am a security professional, working for one of the largest security companies in the industry.
  Hm, let me guess. You work for Microsoft, in the team developing Microsoft Security Essentials?
70. Re:This is the problem with Linux Security by Mathinker · 2014-05-14 06:48 · Score: 1
  
  > FOSS proponents extremely frequently in the past claimed that OSS was security issue free
  Nice strawman, there.
  Personally, I'd say that the only frequently claimed advantage claimed for FOSS in the past was that it was, then, so niche that no one would find it worthwhile to try to exploit. Times have changed, now. For example: Firefox, Chromium, and, I'd say, even desktop Linux isn't safe anymore according to that criterion (server Linux never was safe, since servers are such juicy targets).
71. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-14 08:16 · Score: 0
  
  WAY TO TWIST IT UP. The bug has been in the code for up to five years. It looks like it was discovered a couple of weeks ago. You don't know if it has been patched or not. There is a completely and almost opposite meaning. There is there is no inherent advantage to you having a 'puter'. You would not know the "TRUTH" if it bit you on the ass. No need to renew your 'dumb fuck of the month card'...You are a life member.
72. Re:This is the problem with Linux Security by metrix007 · 2014-05-14 08:39 · Score: 1
  
  No Sir. I said a security company. Not a company with a security department.
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
73. Re:This is the problem with Linux Security by kwbauer · 2014-05-14 10:47 · Score: 1
  
  Sorry but your personal view is what others tried to point out as the advantage. The proponents claimed exactly what I wrote they claimed. Searching through Slashdot posts within the past 12 months find such claims.
  Personally, I agree with your position on why most FOSS code has been exploited; that just doesn't fit what many proponents were claiming.
74. Re:This is the problem with Linux Security by kwbauer · 2014-05-14 10:59 · Score: 1
  
  Here is an example of just such a claim and it is very recent. http://it.slashdot.org/comment...
75. Re:This is the problem with Linux Security by Mathinker · 2014-05-14 11:10 · Score: 1
  
  >> So yes, I think their safeguards and failsafes extend beyond Windows Update and Norton.
  >> Open sourcing their code reduces the black-box vulnerabilities well beyond that level to
  >> begin with.
  is the same as
  > FOSS proponents extremely frequently in the past claimed that OSS was security issue free
  eh?
  I could analogously argue that your logical ability (which seems small), is zero. But I won't.
  Small != zero, and conflating them can be a strawman argument, since it also means conflating their reciprocals.
76. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-14 11:49 · Score: 0
  
  Sadly, I suspect the fucking moron trolls are going to ignore these pesky facts and continue ranting about years of vulnerability.
77. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-14 11:53 · Score: 0
  
  It might be, but your FUD about "remote attackers" just proved you're a troll. YOU NEED A LOCAL ACCOUNT TO EXPLOIT THIS. If some moron is running their web-facing server such that a remote user can execute the code to trigger this bug, this bug is irrelevant to them, because they're already allowing remote code execution.
78. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-14 12:14 · Score: 0
  
  You mean you work at a sham contracting company that spread FUD about trivial security issues to try to get other companies to pay you to "audit" their stuff, so you can try to find more trivial bugs that you can also throw FUD at. Quit being a leech and do something productive.
79. Re:This is the problem with Linux Security by hobarrera · 2014-05-14 19:18 · Score: 1
  
  Fact: FOSS proponents extremely frequently in the past claimed that OSS was security issue free because of all the review of the code that was happening.
  False. OSS proponents claim that OSS has less security issues than closed source software, and that they're easier to find and fix. Nobody ever stated that security bugs were completely inexistant. They're just fewer in number, and, usually, fixed faster.
80. Re:This is the problem with Linux Security by dreamchaser · 2014-05-18 01:37 · Score: 1
  
  Fair enough, I think we're talking semantics here now. All I know is a lot of my clients do, and rightly so, consider DoS to be a security issue.
81. Re:This is the problem with Linux Security by Anonymous Coward · 2014-05-18 23:36 · Score: 0
  
  This is bullshit and you know it.
Soooo..... by Anonymous Coward · 2014-05-13 10:03 · Score: 1

'A bug this serious only comes out once every couple years.'
....in the time it took to fix this bug they got two more just as bad?
One step forward, two steps back.
OpenBSD time... by Anonymous Coward · 2014-05-13 10:11 · Score: 0

The open source projects aren't doing to well lately with these severe bugs, seems like the only people taking security seriously anymore is OpenBSD, I guess it's time to switch!
1. Re:OpenBSD time... by cheater512 · 2014-05-13 10:35 · Score: 1
  
  Oh don't worry too much about it.
  It is only notable because everyone is desensitized about commercial software bugs.
  Compare it to Windows. How many patches do they make which are major or critical each year?
2. Re:OpenBSD time... by Anonymous Coward · 2014-05-13 10:48 · Score: 0
  
  Oh don't worry too much about it.
  It is only notable because everyone is desensitized about commercial software bugs. Compare it to Windows. How many patches do they make which are major or critical each year?
  Compared to Hartbleed and this, I don't know of any of similar critical level and impact. We are not looking good trying to misdirect the seriousness of these long undiscovered highly critical FOSS vulnerabilities.
3. Re:OpenBSD time... by Anonymous Coward · 2014-05-13 10:55 · Score: 0
  
  Sure, if:
  * it had a larger community
  * there was an official forum rather than just MLs.
  * they freely offered official LiveCD/USB images
  * overall system configuration could be done in GUI(s)
4. Re:OpenBSD time... by Anonymous Coward · 2014-05-13 11:11 · Score: 0
  
  * it wasn't dying
5. Re:OpenBSD time... by vux984 · 2014-05-13 11:12 · Score: 1, Insightful
  
  Compared to Hartbleed and this, I don't know of any of similar critical level and impact.
  Any remotely exploitable bug that allows for remote code execution / priviledge escalation without user interaction is just as bad or worse.
  After all, heartbleed was "just" a remotely exploitable memory "leak"; but if you have remote code execution, you can scan the memory and send home anything interesting; to the same effect as heartbleed, plus anything else you might want to do once you are running on the system.
  Windows XP early on (until SP1 or 2?) was remotely exploitable in this way as I recall. And there have been other exploits just as bad over the years.
  Heartbleed was a big deal but its not singularly bad. There's been others before it.
6. Re:OpenBSD time... by Anonymous Coward · 2014-05-13 11:35 · Score: 0
  
  Compared to Hartbleed and this, I don't know of any of similar critical level and impact.
  Two words: Internet Explorer.
7. Re:OpenBSD time... by metrix007 · 2014-05-13 12:49 · Score: 1
  
  OpenBSD is and mostly always has been a joke.
  "Secure by default" isn't the same as auditing a few core services and disabling the rest.
  They do a great job of maintaining OpenSSH though.
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
8. Re:OpenBSD time... by Anonymous Coward · 2014-05-13 12:52 · Score: 0
  
  It is only notable because everyone is desensitized about commercial software bugs.
  Compare it to Windows. How many patches do they make which are major or critical each year?
  Who cares? Your attempt at misdirection has no relevance here. Windows isn't used nearly as much in the server market or the embedded market and certainly no security solution from Microsoft is used as widely as OpenSSL. The implications of these issues are far more far-reaching than any of those in Windows. Linux is more often trusted with safeguarding the data of millions, Windows is not so Linux comes under greater scrutiny when issues like this arise. Being as it isn't as highly used in the server market in general you hit one Windows machine and you get the data for 1 person, hit one Linux machine and you get the data for 1 million people.
  Add to that a vulnerability in the Linux kernel can also lead to millions of unpatchable, vulnerable Android phones and tablets so yes it should come under greater scrutiny.
  Dismissing this under the guise that "Windows has more bugs" is pure idiocy, what will you do when/if Microsoft does finally become irrelevant in the desktop market? When dealing with issues like this you need to face the issue not try and direct people's attention away from it in a desperate bid to save face.
9. Re:OpenBSD time... by Anonymous Coward · 2014-05-14 02:22 · Score: 0
  
  A bit more than auditing....
  http://www.openbsd.org/papers/ru13-deraadt/mgp00001.html
5-year-old allegations by turkeydance · 2014-05-13 10:17 · Score: 1

are demotions or dismissal. let alone actual proof. in a four-year administration.
the real problem with linux security by Anonymous Coward · 2014-05-13 10:43 · Score: 0

The real problem with linux security is that the buggy kernels could be widely deployed, and unlikely to be patched. Maybe your router or washing machine or microwave has buggy linux hidden inside it. The chances of all those linux installations being patched is very low.
Once The Internet Of Things is running, there will have to be serious consideration given to security. Otherwise there will be a series of stories like "criminals broke into my home network through my buggy washing machine and stole lots of important and secret data!".
If you want "guaranteed employment", study computer security. There is gonna be a big demand for it soon.
1. Re:the real problem with linux security by Anonymous Coward · 2014-05-13 15:55 · Score: 0
  
  The real problem with washing machine security is that you might have been "Tivoed" and therefore unable to update/fix your washing machine, in spite of it supposedly running Free Software (i.e. maintainable software).
  This problem is why we have GPL3. But where's the GPL3 OS?
2. Re:the real problem with linux security by Anonymous Coward · 2014-05-13 20:37 · Score: 0
  
  True. Btw, are there any tools available for finding out the current status of exploits in a certain kernel version? That would help script kiddies a lot, perhaps it would even benefit others by forcing vendors to actually update their firmwares.
This is the problem with Windows Security by Anonymous Coward · 2014-05-13 10:45 · Score: 1, Insightful

count the # of remote exploits patches in each version of Windows and how many years between patches where the OS was vulnerable.
1. Re:This is the problem with Windows Security by Anonymous Coward · 2014-05-13 12:29 · Score: 0
  
  At this point in history, "Microsoft Security" is an official oxymoron. On par with military intelligence, jumbo shrimp and the rest, it's set in stone.
2. Re:This is the problem with Windows Security by Anonymous Coward · 2014-05-13 13:02 · Score: 0, Insightful
  
  count the # of remote exploits patches in each version of Windows and how many years between patches where the OS was vulnerable.
  Yep, standard response of the Linux zealot: Problem with Linux? Point out a problem in Windows!
  Great way to handle it bud!
3. Re:This is the problem with Windows Security by Anonymous Coward · 2014-05-13 13:14 · Score: 0, Insightful
  
  Ah yes, a bug for the Linux kernel shows up and a coward uses Windows as a benchmark. Nice job. it may not be good dog food, but at least it is better than Windows.
I gotta say by Anonymous Coward · 2014-05-13 12:25 · Score: 2, Funny

a "doe snot crash" sounds pretty bad to me. Just sayin'. Do you have deer hanging around your computer?
1. Re:I gotta say by tepples · 2014-05-13 13:13 · Score: 1
  
  Do you have deer hanging around your computer?
  Yeah, plenty of goldeer and even a few eldeer.
"Linux Kernel Bug Fixed by 5-year-old" by Anonymous Coward · 2014-05-13 12:39 · Score: 0

Misread the title on this one, and was most disappointed once I read TFS.
Has anybody tried it? by Anonymous Coward · 2014-05-13 12:52 · Score: 0

Has anybody of you, "nerds", tried it? Just out of curiosity. I've been running it on my machine (2.6.37) for 10 minutes already, while I'm typing this comment. So far it keeps printing those dots after "Attempting to overflow...".
I owe it all to Explain Like I'm Five by tepples · 2014-05-13 13:17 · Score: 1

Would that be the result of a 5-year-old following Explain Like I'm Five for a while and becoming smarter than the average public school teacher (see recent story about public school failure)?
Alan Cox by Anonymous Coward · 2014-05-13 13:41 · Score: 0

Wasn't it around 5 years ago that Alan Cox left as the role of maintaner of the tty layer? I wonder whether the bug had a chance to get into the kernel while the new maintaners were still learning the ropes so to speak.
5 year old tempest in tty pot by stock · 2014-05-13 13:58 · Score: 3, Interesting

The problem was well discussed in 2009 here : A tempest in a tty pot https://lwn.net/Articles/34382... The result was that after a heated debate, Alan Cox was blamed for allowing old code to stay because emacs would loose terminal output and Greg KH was simmoned to stepup as the TTY maintainer. The new TTY/PTY guys became James Simmons, the Frame-buffer guy and C. Scott Ananian, the former jack-of-all-trades for the One Laptop per Child Foundation. Curious enough it were not Linux server systems like RedHat Enterprise who have been vulnerable for almost 5 years, but the popular Linux desktop distro's like Ubuntu.
1. Re:5 year old tempest in tty pot by Anonymous Coward · 2014-05-13 15:02 · Score: 1
  
  Curious enough it were not Linux server systems like RedHat Enterprise who have been vulnerable for almost 5 years, but the popular Linux desktop distro's like Ubuntu.
  Wrong. RHEL 5 isn't affected, it uses an old kernel. RHEL 6 is affected: https://bugzilla.redhat.com/sh...
  
  This issue does not affect the versions of the Linux kernel packages as shipped
  with Red Hat Enterprise Linux 5.
  This issue does affect the versions of the Linux kernel packages as shipped
  with Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG 2
2. Re:5 year old tempest in tty pot by Bite+The+Pillow · 2014-05-13 15:35 · Score: 0
  
  The old guy screwed up, was replaced, and the new guys screwed up too. Does that mean replace or do not replace?
  Or just that you remember old news?
  If the latter, stick to tagging dupes here.
POC doesn't work here. by ralphtheraccoon · 2014-05-13 18:13 · Score: 5, Interesting

I read through the POC, it seemed safe enough to play with, so I've tried it out on a few different servers here (CentOS & Debian Stable). On the CentOS boxes it dies before it even gets started trying to overflow into a tty, and on my Debian machine it's been going for 5 minutes (using up to 90% CPU, but still leaving the machine quite usable), and still hasn't got anywhere.
This isn't quite the "instant ROOT ACCESS!" privilege escalation that scares keeps sysadmins up at night. (unless I'm missing something...)
1. Re:POC doesn't work here. by Anonymous Coward · 2014-05-14 02:57 · Score: 0
  
  Please - this is Slashdot. FUD, ranting and raving are the order of the day here - and "my OS is bigger than your OS" statements. Your actual test and commenting on what a REAL test have revealed are completely irrelevant to this forum. We aren't about reality here. Take your reality to other forae - Ars for instance.
OpenSSL too by Anonymous Coward · 2014-05-13 19:30 · Score: 0

In other news, there was also a 4-year-old flaw in OpenSSL. In the same way this bug was publicly reported (CVE-2010-5298) for years, without no one taking the responsibility to fix it.
Here's a detailed report of the bug by OpenBSD developer Ted Unangst. It was finally fixed in the recent quality assurance effort conducted by the OpenBSD guys.
Must mention microkernels by Megol · 2014-05-13 21:22 · Score: 2

As something like this would be impossible with the driver executing in an isolated process. Memory corruption would still be possible of course (unless the driver was written in a secure language) but it would be local.
1. Re:Must mention microkernels by Anonymous Coward · 2014-05-14 22:50 · Score: 0
  
  Maybe. However, we do not have microprocessors that are actually capable of running microkernels with driver isolation properly. Not anymore.
  There are only TWO hardware protection rings, if that much. Three if you count the SMM crap in some processors (x86/x86-64, ARM64), which is unusable because either firmware you would be much better without, or spyware will have already taken it over. It used to be four rings, but that's long gone.
  You need at least three to have proper driver separation, otherwise either it can crash the kernel, or userspace can attack it. And it has to be *extremely fast* to switch from one ring to the other for driver work. Fast enough that it is not possible to do it properly, e.g., on X86-64.
2. Re:Must mention microkernels by Megol · 2014-05-15 00:49 · Score: 1
  
  The L4 family, QNX, K42 and Nemesis/Expert shows that the kernel/userspace division is enough.
  In fact there are systems that doesn't have even two "rings" and are secure. One example is the Microsoft research Singularity that uses a secure programming language, another is the Go component design (can't find a link sadly) that uses segmentation combined with a light-weight processor abstraction for protection. There are many others.
  The L4 kernel have switching times as low as some hundred cycles between components (https://www.l4ka.org/126.php) and this could be lowered on current x86 processors that supports address space ids. K42 and Nemesis should be even more light-weight as they only transport the contents of registers (K42) or one data value (Nemesis) using mostly user-space management of communication.
openbsd by astar · 2014-05-14 06:23 · Score: 2

Openbsd defines any potential security issue as a bug. Emphasis potential. The interesting actual exploits these days are sometimes 15 unexploitable glitches strung together.
The Linux kernel is oriented towards supporting all the cutting edge hardware. This is not going to make security very practical. Openbsd is, ah, stodgy. But what openbsd brags on is "no remote holes in the default install" not "no local exploits".
I think that Linus cannot fix this sort of issue. Theo could take lessons from Linus on nasty around systemd but Linus has not been consistently nasty and I think it too late.
Send Theo money.
+1 -- must mention microkernels & even languag by Paul+Fernhout · 2014-05-14 11:46 · Score: 1

As I suggested in this thread here in Dec 2012: http://developers.slashdot.org...
"One thing of concern to me about this (not knowing the kernel communications culture or the previous interactions of Linus and this maintainer) is whether the Linux kernel (and development community) has maybe reached some point where old development methods are breaking down in trying to support an every growing monolithic kernel approach? I initially [resisted] using Linux in the 1990s because I knew there were alternative architectures available, like from QNX, Erlang, Actor, or Smalltalk, and I had hoped those alternatives would prevail. I started using GNU/Linux only when it seemed like the social momentum there was unstoppable. Thus my previous comment on "message passing" as perhaps a better architecture for software in the 21st century because if can help address theses issues of redundancy, modularity, and testability as ways to manage risk from complexity."
It comes down to priorities. The Linux Kernel community seems to have historically prioritized maximum speed over things like security, reliability, ease-of-use, or even driver developer sanity (like statements of Linux leaders saying stuff like like APIs can be changed at will and it does not matter how much time it takes driver developers to deal with it). I'm not saying they don't care at all about these other issues, just that historically it was not a priority. If they did priorities these other things, then a message passing microkernel (more like QNX) makes more sense. Also, using a language with better bounds checking and such might also be valuable, however with a microkernel choice of language may not matter as much since most of the code for most drivers could be outside the kernel.
Anger often comes from fear. What is Linus afraid of? A big worry must be kernel getting severely broken by some contribution, That's what really sets him off into profanity. The more code involved, the more likely that can happen. I would predict that the amount of profanity Linus needs to use to keep the Kernel team in order is a good inverse metric of Kernel design quality relative to current needs. :-) And I'd suggest the amount of profanity needed is growing given the current design and current community needs and it does not bode well. :-(
Personally, at this point, I would *gladly* use a computer system that was half as fast but never crashed, never put my privacy or security at risk by bugs, never required a "recompile" just to install drivers, never had weird problems dues to incompatible versions of drivers it could not detect or manage, was ported easily to any hardware so it was truly universal, was easily upgradable indefinitely, was transparently networkable with other hardware running the same OS as one big virtual computer, which had a community of developers making new useful stuff instead of being pinned down by just keeping up with kernel API changes, and so on...
One of the reason Linux on the desktop failed is because of all these things and the pain all these continual changes to a monolithic kernel cause a general user and what a pain in the butt it would be to get any hardware installed and configured. Linux had tremendous amounts of goodwill and human time devoted to it, but it seems much of that got wasted on dealing with a monolithic kernel which meant at best that Linux computers worked 30% faster (or as fast as next years models would otherwise) -- but only when they worked, which was painful enough that people just abandoned Linux on the desktop. That is true even people like me who ran Debian as a desktop for about five years and eventually got tired of all the random breakage and moved to the Mac (maybe regretting it a bit now with Apple's new annual OS releases and developers abandoning versions from just a year or two ago...) -- and while some of the break

--
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.