| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: ihaquer at isec.pl (Paul Starzetz) Subject: [SECURITY] [DSA-403-1] userland can access Linux kernel memory On Tue, 2 Dec 2003, Florian Weimer wrote: > > The debian announcement only says that by the time that this bug was > > discovered, it was too late already for the 2.4.22 kernel release. > > Another cre^Wgroup of researches publicly claimed that they had > discovered this issue and that their exploit might have leaked to the > underground. The report might be phoney, or it could reflect an > independent rediscovery. we discovered the bug at the end of September 2003 and started to study the vulnerability. About 15.10.2003 a first version of a proof-of-concept exploit already existed (nothing clean just run, get root and then crash). Due to the silent fix in the kernel tree (which we discovered while looking at the -rc patches for 2.4.22 to 2.4.23 at the end of November) we believed that 'the others' are convinced that the bug is not exploitable, thus we decided to schedule an article for a security magazine at the end of this year and start a public disclosure. Unfortunately it may be possible that a binary image of the latest exploit code has been leaked outside of iSEC machines... We are preparing a technical paper for the next 30 days. regards Paul Starzetz
Powered by blists - more mailing lists