Mailinglist Archive: opensuse-security-announce (12 mails)

< Previous Next >
[security-announce] New Linux kernel privilege escalation - heads up notice
  • From: Marcus Meissner <meissner@xxxxxxx>
  • Date: Wed, 4 Nov 2009 17:16:09 +0100
  • Message-id: <20091104161609.GA19473@xxxxxxx>
Hi,

A bug in the Linux kernels "pipe" system call implementation was found which
can be used by local attackers to gain root privileges.

CVE-2009-3547
http://www.openwall.com/lists/oss-security/2009/11/03/1


This problem affects all our currently maintained Linux products.

- SUSE Linux Enterprise Server 9 / Open Enterprise Server 1

Are affected. Updates are being prepared and will be released next week.
There is unfortunately no workaround possible.


- SUSE Linux Enterprise Server / Desktop 10 SP2,
Open Enterprise Server 2 SP1

Are affected. Updates are being QA'ed and will be released begin of
next week.
There is unfortunately no workaround possible.


- SUSE Linux Enterprise Server / Desktop 10 SP3

Are affected. Updates are being QA'ed and will be released begin of
next week.

A workaround is possible by enabling the MMAP null page exploitprotection
by enabling the "mmap_min_addr" protection in this kernel, by doing (as root):
echo -n 65536 > /proc/sys/vm/mmap_min_addr

To keep this persistent over the next boot, you can also add it to
/etc/sysctl.conf:
vm.mmap_min_addr = 65536

(We did not enable this by default to avoid breaking legacy software.)


- SUSE Linux Enterprise Server / Desktop 11
openSUSE 11.0
openSUSE 11.1

Are affected by this problem, but the exploit can not be used to execute code,
just to cause a crash / "Oops".

The kernel is using the MMAP null page exploit protection by default and so
the exploit is not effective (will just lead to a Ooops).

You can verify the protection to be enabled by doing:
cat /proc/sys/vm/mmap_min_addr

A value larger than 0 means "enabled".

Updates that fix this issue will be published, but not in the same hurry as
for
the older product lines.


The several days delay in getting Kernel updates out is due to kernel
QA taking around 4 days, as they include numbers of regressions, burn-in
and partner tests and careful evaluation of the generated results.

Ciao, Marcus
< Previous Next >
This Thread
  • No further messages