"Invisible Thing Lab" has found a serious security hole in Kernel/X.org that could give intruders full root access to your box with any graphical application via X-server.
A temporary fix was made on the 13th August, and kernel 2.6.27.52, 2.6.32.19, 2.6.34.4, and 2.6.35.2 have now been patched with this fix.
The hole in the security was published yesterday:
http://theinvisiblethings.blogspot.com/ ... in-linux...
https://bugzilla.redhat.com/show_bug.cg ... -2010-2240
http://www.desktoplinux.com/news/NS7769 ... tml?kc=rss
http://www.phoronix.com/scan.php?page=n ... &px=ODUyMA
http://www.invisiblethingslab.com/itl/Welcome.html
Security flaws in Kernel/X.org
Moderators: b1o, jkerr82508
Security flaws in Kernel/X.org
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
"There are no stupid questions - Only stupid answers!"
-
dedanna1029
- Sound-Berserk
- Posts: 8784
- Joined: 14 Mar 2010, 20:29
- Contact:
Re: Security flaws in Kernel/X.org
Oh yay. Not. You mean I gotta go thru all that xorg crap again? (Fedora and Arch both)
Edit: Tell you what. First one that gets borked from the updates, is the first one I take off my machine. I'm getting real tired of this. They better get it right the first time (wow. I just made a real good joke there 'cause I know it's not gonna happen).
http://twitter.com/dedanna1029/status/21563110698
Edit: Tell you what. First one that gets borked from the updates, is the first one I take off my machine. I'm getting real tired of this. They better get it right the first time (wow. I just made a real good joke there 'cause I know it's not gonna happen).
http://twitter.com/dedanna1029/status/21563110698
I'd rather be a free person who fears terrorists, than be a "safe" person who fears the government.
No gods, no masters.
"A druid is by nature anarchistic, that is, submits to no one."
http://uk.druidcollege.org/faqs.html
No gods, no masters.
"A druid is by nature anarchistic, that is, submits to no one."
http://uk.druidcollege.org/faqs.html
Re: Security flaws in Kernel/X.org
dedanna1029 wrote:Oh yay. Not. You mean I gotta go thru all that xorg crap again? (Fedora and Arch both)
Edit: Tell you what. First one that gets borked from the updates, is the first one I take off my machine. I'm getting real tired of this. They better get it right the first time (wow. I just made a real good joke there 'cause I know it's not gonna happen).
http://twitter.com/dedanna1029/status/21563110698
No you will probably not be affected by it unless you run a server with other users. The exploit needs an "attacker" and he needs to allocate many large pixmaps. Thus exhausting X-servers address space. Then he must create a shared memory segment S and force X server to attach it to the only available region left, which will be close above the stack. Then the attacker instructs the X-server to call a recursive function which results in the stack being extended and the stack pointer being moved to S for a brief period of time (during recursion).
The attacker can then write to S. This will override the stack locations and allow the code execution = very bad
There is no error or misbehavior in the software you got so even if you blame it - it probably is just you that fubared
The evil 
person needs to have access to your system. But when he has that, there is nothing stopping him from exploiting X.This error has most likely been around for years since kernel 2.6.
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
"There are no stupid questions - Only stupid answers!"
-
dedanna1029
- Sound-Berserk
- Posts: 8784
- Joined: 14 Mar 2010, 20:29
- Contact:
Re: Security flaws in Kernel/X.org
Man, I can't even mentally keep up with all that, much less imagine someone doing it LOL. Hard to follow for me.
I'd rather be a free person who fears terrorists, than be a "safe" person who fears the government.
No gods, no masters.
"A druid is by nature anarchistic, that is, submits to no one."
http://uk.druidcollege.org/faqs.html
No gods, no masters.
"A druid is by nature anarchistic, that is, submits to no one."
http://uk.druidcollege.org/faqs.html
Re: Security flaws in Kernel/X.org
Basically there has to be person involved - that has access to your computer. And he has to be a bad person - like a politician or something 
Edit:
Sorry we can rule them out - the person has to be smart too
Edit:
Sorry we can rule them out - the person has to be smart too
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
"There are no stupid questions - Only stupid answers!"
-
dedanna1029
- Sound-Berserk
- Posts: 8784
- Joined: 14 Mar 2010, 20:29
- Contact:
Re: Security flaws in Kernel/X.org
viking60 wrote:Basically there has to be person involved - that has access to your computer. And he has to be a bad person - like a politician or something
Edit:
Sorry we can rule them out - the person has to be smart too
*giggles* LOL
I'd rather be a free person who fears terrorists, than be a "safe" person who fears the government.
No gods, no masters.
"A druid is by nature anarchistic, that is, submits to no one."
http://uk.druidcollege.org/faqs.html
No gods, no masters.
"A druid is by nature anarchistic, that is, submits to no one."
http://uk.druidcollege.org/faqs.html