[sclug] Linux kernel bug

[John Stumbles]

Seen on another list

> Details of a bug in affecting all versions of the Linux 2.4 amd 2.6 
> kernels since 2001 on all architectures has just been published.  The bug 
> leads to the kernel executing code at NULL.  Details of the bug are 
> available at:
> 
> http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html
> 
> and details of a patch are available at:
> 
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98
> 
> Public exploits are available.
> 
> We are not aware of any complete fixes for the various linux distributions
> yet. 
> 
> In the meantime the following are ways to mitigate the problem.
> For kernel 2.6.23 or later then you should be able to use the
> recent mmap_min_addr feature by doing the following as root:
> 
> echo 4096 > /proc/sys/vm/mmap_min_addr
> 
> Assuming that works then you can edit /etc/sysctl.conf and add:
> 
> vm.mmap_min_addr = 4096
> 
> which will make the change stick.
> 
> There are some applications which may break as a result of this, such as
> DOSEMU or Wine).
> 
> A second method is much more convoluted, but should work on older kernels.
> 
> grep net-pf /lib/modules/$(uname -r)/modules.alias
> 
> Will list all the protocol families that your system can support.  Then you
> can edit /etc/modprobe.conf.local to disable these protocols, eg by adding:
> 
> alias net-pf-4  off # IPX
> 
> However, this requires knowing which protocols you can live without.  As a
> first pass you can run:
> 
> lsmod | grep -F "$(grep net-pf /lib/modules/$(uname -r)/modules.alias | awk '{print $3 }'| sort -u)"
> 
> Which will list the protocols that are already active on the system.

There was a follow-up:

> CVE-2009-2692, fixed in FC11's kernel-2.6.29.6-217.2.7. 2.6.29.6-217.2.8
> fixes CVE-2009-2767 too.


-- 
John Stumbles                                       http://yaph.org.uk
:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-: