CVE-2014-4699: Linux ptrace bug<br />
<a href="http://seclists.org/oss-sec/2014/q3/40">http://seclists.org/oss-sec/2014/q3/40</a> [<a href="http://seclists.org/oss-sec/2014/q3/40" target="_blank">^</a>]<br />
<br />
[quote]<br />
Upstream commit b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a fixes a<br />
ptrace bug. The exact scope of the bug is somewhat unclear right now.<br />
I see no reason why the bug should not be present as far back as Linux<br />
2.6.17, but it seems to be difficult to reproduce on old kernels.<br />
<br />
There is some ongoing discussion on linux-distros about the impact and<br />
applicability of this bug.<br />
<br />
More details and a PoC to follow some time next week.<br />
<br />
I'm being intentionally vague here: this bug has existed for a long<br />
time, but exploiting it at all is tricky enough (and possibly<br />
kernel-version dependent enough) that it's gone unnoticed. I would<br />
currently prefer to give the distros and users a bit of a headstart<br />
before publicly disclosing the complete details of how to test/exploit<br />
the bug. It is likely to have a high enough impact, at least on new<br />
enough kernels, that it should be patched ASAP.<br />
<br />
Patch:<br />
<a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a">https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a</a> [<a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a" target="_blank">^</a>]<br />
<br />
commit b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a<br />
[/quote]
↧
