oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux kernel futex local privilege escalation (CVE-2014-3153)

From: Rich Felker <dalias () libc org>
Date: Fri, 6 Jun 2014 11:58:46 -0400
On Fri, Jun 06, 2014 at 05:43:28PM +0200, rf () q-leap de wrote:

    Greg> There is someone still maintaining 3.12-stable, why not rely
    Greg> on those releases if you want that kernel version, instead of
    Greg> rolling your own?

We thankfully do rely on that as our base. In this case though, the
patches haven't been ported until this moment. And I can't wait for them
to appear since there is no time-line when that will happen ...


Indeed. This is probably the biggest security flaw in Linux in the
past 5 years (if not the biggest ever) since it allows a full kernel
compromise even from extremely tight sandboxes. In my opinion, the way
the announcement was handled was really unprofessional. There should
have been fixes prepared for, and/or committed into the git repos for,
all currently maintained releases/branches at the time of the
announcement. Anything else leaves everybody but users of the big
mainstream distros scrambling to figure out how to get a
non-vulnerable kernel that's compatible with their current setups.

Rich
Previous By Date Next
Previous By Thread Next

Current thread: