lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200802102329.50843.phillips@phunq.net>
Date:	Sun, 10 Feb 2008 23:29:50 -0800
From:	Daniel Phillips <phillips@...nq.net>
To:	Pekka J Enberg <penberg@...helsinki.fi>
Cc:	torvalds@...ux-foundation.org, linux-kernel@...r.kernel.org,
	stable@...nel.org, jens.axboe@...cle.com,
	akpm@...ux-foundation.org, bastian@...di.eu.org, ndenev@...il.com,
	oliver.pntr@...il.com
Subject: [PATCH] vmsplice exploit fix (was: splice: fix user pointer access in get_iovec_page_array)

Kudos to all involved in the rapid response.  But.

Information on patching this vulnerability is not available front and 
center in many of the places you would expect: kernel.org front page, 
debian.org front page, covered on planet.debian.org but without a 
pointer to the patch, and so on.  So this post provides a subject line 
for Google to find, and for good measure mentions the word 
vulnerability.

Also,

   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953

I think many users would first go to kernel.org on a day like today, as 
I did.  Nothing to see there.  We could do a way better job of getting 
the word out.

Patch attached as posted above by Pekka.  For the mortals among us:

   cd linux-2.6.recent && patch <fix.vmsplice.exploit.patch -p1

Regards,

Daniel

View attachment "fix.vmsplice.exploit.patch" of type "text/x-diff" (752 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ