oss-sec mailing list archives
Re: Linux kernel futex local privilege escalation (CVE-2014-3153)
From: Rich Felker <dalias () libc org>
Date: Fri, 6 Jun 2014 12:15:25 -0400
On Fri, Jun 06, 2014 at 09:04:49AM -0700, Greg KH wrote:
On Fri, Jun 06, 2014 at 11:58:46AM -0400, Rich Felker wrote:On Fri, Jun 06, 2014 at 05:43:28PM +0200, rf () q-leap de wrote:Greg> There is someone still maintaining 3.12-stable, why not rely Greg> on those releases if you want that kernel version, instead of Greg> rolling your own? We thankfully do rely on that as our base. In this case though, the patches haven't been ported until this moment. And I can't wait for them to appear since there is no time-line when that will happen ...Indeed. This is probably the biggest security flaw in Linux in the past 5 years (if not the biggest ever) since it allows a full kernel compromise even from extremely tight sandboxes. In my opinion, the way the announcement was handled was really unprofessional. There should have been fixes prepared for, and/or committed into the git repos for, all currently maintained releases/branches at the time of the announcement. Anything else leaves everybody but users of the big mainstream distros scrambling to figure out how to get a non-vulnerable kernel that's compatible with their current setups.That was planned, but something happened which caused the issue to "leak" much too early. It was not intentional at all, but rather a human error. The parties involved are very sorry about it, there was no malicious intention at all involved. Stuff happens, sorry.
Thanks for the clarification! Rich
Current thread:
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153), (continued)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Solar Designer (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Rich Felker (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Thomas Gleixner (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) rf (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Greg KH (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) rf (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Greg KH (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) rf (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Rich Felker (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Greg KH (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Rich Felker (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Solar Designer (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Thomas Gleixner (Jun 07)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) mancha (Jun 07)