Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious Linux Kernel Vulnerability Patched (threatpost.com)

Posted by timothy on from the those-famous-many-eyes dept.

msm1267 writes: A patch for a critical Linux kernel flaw, present in the code since 2012, is expected to be pushed out today. The vulnerability affects versions 3.8 and higher, said researchers at startup Perception Point who discovered the vulnerability. The flaw also extends to two-thirds of Android devices, the company added. An attacker would require local access to exploit the vulnerability on a Linux server. A malicious mobile app would get the job done on an Android device. The vulnerability is a reference leak that lives in the keyring facility built into the various flavors of Linux. The keyring encrypts and stores login information, encryption keys and certificates, and makes them available to applications. Here's Perception Point's explanation of the problem.

4 of 85 comments (clear)

  1. Local user to root on server is serious by Anonymous Coward · · Score: 1, Insightful

    The summary downplays the threat to Linux servers with how the "local access required" is phrased. The PoC provided successfully escalates privileges from a local user to root. This is a very serious issue with serious remote exploitation risk.

  2. Re:Well, let's see how Google fixes this by serviscope_minor · · Score: 4, Insightful

    How are all of these Android versions in the wild going to get fixed?

    Haha they're not!

    Welcome to the new way of doing things. Updates are for old fuddy duddies.

    --
    SJW n. One who posts facts.
  3. Re:Well, let's see how Google fixes this by serviscope_minor · · Score: 4, Insightful

    Unless you're driving a somewhat recent Nexus...then you'll get an update fairly quickly.

    I have a Nexus 4. It's still very much functional, but it's been EOL since May 2015, a scant 2.5 years after it was first released. By contrast my 8 year old eee 900 is happily running the latest version of everything.

    I'm typing this from my W510 laptop (at work---yay for slacking) which is now amazingly approaching 6 years old. It works great. It's running a 2 year old version of ubuntu (14.04 LTS) which will continue to be supported for another 3 years. However, I'll almost certainly upgrade to 16.04 and the laptop will keep on trucking (the 16G of RAM has stopped it aging badly) for many years to come.

    The state of mobile phones is beyond pathetic, compared to what we had for PCs.

    --
    SJW n. One who posts facts.
  4. GOTO still considered harmful by johannesg · · Score: 1, Insightful

    According to a comment on Phoronix ( http://www.phoronix.com/forums... ), the cause is a goto:

    "And the funny thing is? The guilty line is a fucking GOTO. Everyone using this atrocious coding practice should be shot in the head." ("magika")

    User "stevenc" adds: "It's a pretty common pattern of trying to emulate Objected Oriented Programming in C. Try to construct one or more 'objects', otherwise fall back to one or more 'destructors' at end of the function. They'd even implemented their own reference counters within the struct (object) and had function pointers (methods); both of which allowed this to be an exploitable bug. In OO languages these are implemented in the language/interpreter/compiler and usually done right. "

    Now please contrast the desire to have C++ features without using C++ with this post: http://article.gmane.org/gmane...

    At least one "substandard" programmer has a lot of egg on his face right now...