|
patch: prevent Privilege Escalation via SUID /proc/pid/mem Write
Shure you're already aware of this:
Linus published a patch to fix /proc/<pid>/mem handling: git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc. And some exploits are already published, too blog.zx2c4.com/749. some big distros reacted quickly (e.g. Ubuntu), but latest liquorix still is fulnerable. PS: posting links is quite annoying. It only shows [new user link] and at times not all. Back to top |
|||||
|
Re: patch: prevent Privilege Escalation via SUID /proc/pid/mem Write
Gnaah… A brand new kernel 3.2.0-1.dmz.5-liquorix-amd64 just arrived and is still vulnerable. :-/
Back to top |
|||||
|
Finally, an alternative to sudo.
No, I'll get this patched up and release 1.dmz.6 later today. Back to top |
|||||
|
3.2.1-1.dmz.6 is out with this patch (plus some early patches that are going into 3.2.2).
Back to top |
|||||
|
ej64, before you complain, make sure the problem isn't YOU.
You disabled your bbcode in your posting/user settings, why you did that is beyond me, but if you do that, the links get disabled. The new user link is to protect against forum spammers, but it can't help me much with users who turn off the features they complain about not working. Also, before I corrected your bbcode, it would not h ave worked anyway, you had this, with spaces so you can see it: [ url=http://somesite.com/lsdjf][/url] which if you hadn't turned off bbcode, would have shown a blank space instead of a link. Back to top |
|||||
|
Re: patch: prevent Privilege Escalation via SUID /proc/pid/mem Write
@ techAdmin
what I wrote in the first place was this (with BBCode enabled): :: Code :: [url=http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc]Linus published a patch to fix /proc/<pid>/mem handling[/url]. And [url=http://blog.zx2c4.com/749]some exploits are already published[/url], too.Seems now you have promoted me beyond the "new user" status, so I can't show this misbehaviour anymore. Btw: I'm german and can stand some rude words, but if you're after some constructiveness you shouldn't piss off the users immediately. Back to top |
|||||
|
Just a note on the topic: The fix fixed. Thank you, damentz!
Back to top |
|||||
|
ej64, you had turned off bbcode, so nothing you did would have resulted in any link ever showing.
This odd decision cost me about 1 hour of my time trying to find a bug that didn't exist since I would never have considered that a poster complaining about links not working would turn off the very thing that makes links work. Not appreciated. I tend to hold linux users to higher technical accountability standards, ie, I trust a bug report from them more than regular users, foolish, I know, but there you have it. Cost us both time. Try to be a bit less clever next time is my advice. While I can pretend that I didn't mind losing that time, I won't, it was annoying. The new user link as noted is an antispam feature, and never at any time disabled any link, so complaining about that is really not an interesting thing to hear. I did modify the code a bit to show the url now for non new users, makes it easier to cut and paste in links without formatting them. Back to top |
|||||
|
by the way, as for the valuable information you provided, links to the patches, and alerting damentz to them, that part is of course greatly appreciated.
Back to top |
|||||
|
yeah good job damentz
Back to top |
|||||
|
All times are GMT - 8 Hours
|
|||||