![]() |
|
Date: Thu, 5 Jun 2014 23:38:27 -0400 From: Rich Felker <dalias@...c.org> To: oss-security@...ts.openwall.com Subject: Re: Linux kernel futex local privilege escalation (CVE-2014-3153) On Thu, Jun 05, 2014 at 06:45:45PM +0400, Solar Designer wrote: > Hi, > > This was handled via linux-distros, hence the mandatory oss-security > posting. The issue was made public earlier today, and is included in > this Debian advisory: > > https://lists.debian.org/debian-security-announce/2014/msg00130.html > > --- > CVE-2014-3153 > > Pinkie Pie discovered an issue in the futex subsystem that allows a > local user to gain ring 0 control via the futex syscall. An > unprivileged user could use this flaw to crash the kernel (resulting > in denial of service) or for privilege escalation. > --- > > I've attached patches by Thomas Gleixner (four e-mails, in mbox format), > as well as back-ports of those by John Johansen of Canonical, who wrote: Maybe I'm missing something, but I can't find any statement of what version these patches are intended to apply cleanly to. They don't apply to latest stable. Rich
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.