[LUG.ro] Problema de seguridad en casi todas las distros de GNU/Linux

Omar Arino oarino en fagdut.org.ar
Mie Nov 4 21:02:29 ARST 2009


El día 4 de noviembre de 2009 22:37, "Sebastián D. Criado"
<sebastian.criado en gmail.com> escribió:
> Existe un error de null pointer dereference la cual permitiría ganar
> privilegios de root. El error sería resuelto por la versión 2.6.32.
>
> --
> Red Midnight and other readers brought to our attention a bug in most
> deployed versions of Linux that could result in untrusted users getting root
> access. The bug was found by Brad Spengler last month. "The null pointer
> dereference flaw was only fixed in the upcoming 2.6.32 release candidate of
> the Linux kernel, making virtually all production versions in use at the
> moment vulnerable. While attacks can be prevented by implementing a common
> feature known as mmap_min_addr, the RHEL distribution... doesn't properly
> implement that protection... The... bug is mitigated by default on most
> Linux distributions, thanks to their correct implementation of the
> mmap_min_addr feature. ... [Spengler] said many other Linux users are also
> vulnerable because they run older versions or are forced to turn off
> [mmap_min_addr] to run certain types of applications." The register reprints
> a dialog from the OpenBSD-misc mailing list in which Theo De Raadt says,
> "For the record, this particular problem was resolved in OpenBSD a while
> back, in 2008. We are not super proud of the solution, but it is what seems
> best faced with a stupid Intel architectural choice. However, it seems that
> everyone else is slowly coming around to the same solution."
> ----
>
Lo leì ayer u hoy, no recuerdo bièn , pero no entendì algo.
Por lo que dicen, hay que activar la funciòn mmap_min_addr que segùn parece
se utiliza para wine.
Que se puede hacer para protegerse?

Omar


Más información sobre la lista de distribución Lugro