Linux 2.4.24 Release Fixes Root Vulnerability

slashdot ^ | 1-5-2004 | kernel.org

[zeugma]

Slashdot is reporting the following:

"Linux Kernel 2.4.24 has been released and is available on kernel.org. It seems there's a bug in the mremap(2) system call, where a local user can get root privileges.The new version has been released only with the most important bugs fixed - the rest of the changes have been postponed (those changes include the XFS filesystem)."

[zeugma]

Source for the kernel can be downloaded from Kernel.org.

Most individuals running will be unaffected by this, as this is a local exploit, meaning that you have to have a malicious user who already has an account on your system, take advantage of it. Multi-user environments should definitely look at implementing this ASAP.

[zeugma]

A Penguin ping if you would, please

[Support Free Republic]

Rank	Location	Receipts	Donors/Avg		Freepers/Avg		Monthlies
24	Michigan	210.00	6	35.00	373	0.56	95.00	9

Thanks for donating to Free Republic!

Move your locale up the leaderboard!

[StatesEnemy]

Just outta curiosity, does the Linux community release security "patches" when vulnerabilities are discovered? Or do they just release a whole new build?

[justlurking]

Just outta curiosity, does the Linux community release security "patches" when vulnerabilities are discovered? Or do they just release a whole new build?

You can get it several ways:

1. A source patch that is applied to a pre-existing kernel source, which you then build and installed.
2. A complete new source kernel, which you then build and install.
3. A pre-built kernel that is installed either manually or automatically.

The choices depend on which distribution you use, and what support options are provided (or you paid for).

[rdb3]

The Penguin Ping.

Wanna be Penguified? Just holla!

Got root?

[Seselj]

Isn't this old news? The latest Linux kernel is 2.6.0.

[zeugma]

Actually, I should have changed the title a bit to indicate that it appears to affect the entire 2.4 series, as well as 2.6.x.

The fix appears to be a change in a single line or two of source, if I read some of the comments on /. correctly.

[zeugma]

Post #5 described it better than I could. I rarely roll my own kernel anymore, unless something really major comes out that I want to make use of. (like when USB was added way back when).

[StatesEnemy]

Thankee.

I am contemplating the penguin plunge, and am in the 'gathering of info and drivers' mode.

[justlurking]

I am contemplating the penguin plunge, and am in the 'gathering of info and drivers' mode.

I didn't realize that, so I'll add to my previous post:

For most people, "Linux" is much more than just a kernel. A typical system has many applications and utilities bundled with it into a "distribution".

However, the larger distributors of distributions (RedHat, Debian, Gentoo, etc.) have an mechanism to obtain updates, much like "windows update". Some download and install the pre-built binary, some download the source and completely rebuild the application for your system.

If you want to just play with Linux, I recommend Knoppix. You can stick the CD in your CD drive and boot from it, and then poke around as much as you want. It will mount the drives on your computer (so you can read them), but not change any data: it runs completely off the CD, and any needed temporary space is held in RAM.

[dyed_in_the_wool]

Now if MicroSoft would only close port 139...that problem's been around since, uh, '95?

[dyed_in_the_wool]

if I read some of the comments on /. correctly.

Always taken with a grain of salt...

[zeugma]

Along the lines of "gathering of info and driver mode", I'd like to post an experience I had with some hardware I installed for my oldest daughter this Christmas. I bought her a Wacom drawing tablet. It's a USB device, but didn't come with any drivers for Linux. I plugged it into my system anyway just to see if I could tinker and make it work. After plugging it in, I thought something had gone wrong with my mouse, because the pointer was moving around. Nope. My daughter was playing with the tablet, and it was working exactly as it should. (it doubles as mouse-pad with a wireless mouse). I wish it had been as easy under windows to get working!!!