Date: Sun, 6 Jul 2014 00:36:27 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2014-4699: Linux ptrace bug On Sat, Jul 05, 2014 at 10:25:50PM +0200, Yves-Alexis Perez wrote: > On dim., 2014-07-06 at 00:20 +0400, Solar Designer wrote: > > On Sat, Jul 05, 2014 at 09:58:15PM +0200, Yves-Alexis Perez wrote: > > > And the system is usable after that. > > > > Yet both are vulnerable, with privilege escalation likely possible. > > Yes, sorry if my initial answer was suggesting the kernels were not > vulnerable. No, I was just clarifying for others. You do actually have all kernels listed as vulnerable here: https://security-tracker.debian.org/tracker/CVE-2014-4699 > It was just that we didn't managed to make them crash on the > few boxes we tried on. I think the "Kernel panic - not syncing: Machine halted" is actually unexpected. The PoC isn't meant to crash the machine, although as we've seen it might. It's meant to test whether the issue is triggerable, and if it is we should assume that a real exploit may do more (including both DoS and privilege escalation). Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.