×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Root Privileges Through Linux Kernel Bug

timothy posted more than 3 years ago | from the who-needs-windows? dept.

Bug 131

Lars T. writes "The H has a story about a Linux kernel bug that allows root level access. 'According to a report written by Rafal Wojtczuk (PDF), a conceptual problem in the memory management area of Linux allows local attackers to execute code at root level. The Linux issue is caused by potential overlaps between the memory areas of the stack and shared memory segments.' SUSE maintainer Andrea Arcangeli provided a fix for the problem in September 2004, but for unknown reasons this fix was not included in the Linux kernel. The bug is not related to the X Server bug found by Brad Spengler." As the linked article notes: "SUSE itself has the fix and SUSE Linux Enterprise 9, 10 and 11 as well as openSUSE 11.1 through 11.3 do not exhibit this vulnerability."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

131 comments

Unrelated? The PDFs are the same! (4, Informative)

Anonymous Coward | more than 3 years ago | (#33307782)

How can the two bugs be unrelated? both articles have the exact same link to the exact same PDF! (Hint: the pdf's filename is xorg-large-memory-attacks.pdf on both).

Re:Unrelated? The PDFs are the same! (4, Insightful)

NeverVotedBush (1041088) | more than 3 years ago | (#33308006)

I think what it is is that the Xorg server is an easy attack vector for the Linux kernel memory management issue.

The memory management issue is the thing that enables using a flaw in the X server to escalate privilege. If you fix the X server to not allow that kind of manipulation, you still have the kernel memory management issue that could be used by some other application to escalate privilege.

I think that fixing the X server - one mitigation is to disable the MIT-SHM extension as discussed in the pdf - really reduces the exposure but since the real problem is in the kernel, it doesn't completely remove the threat.

At least that is how I understand it...

Re:Unrelated? The PDFs are the same! (0)

Anonymous Coward | more than 3 years ago | (#33308170)

"In an email to The H, Joanna Rutowska clarifies that Spengler's exploit targets "some unrelated vulnerability" and her reference to it was in relation to guesses made by Spengler noted in the source code comments."

Re:Unrelated? The PDFs are the same! (2, Informative)

bjourne (1034822) | more than 3 years ago | (#33311802)

I think that fixing the X server - one mitigation is to disable the MIT-SHM extension as discussed in the pdf - really reduces the exposure but since the real problem is in the kernel, it doesn't completely remove the threat.

The shm extension is integral to all modern xorg servers. You *may* be able to run xorg without shm, but many programs will refuse to work and performance will drop to a few percent of what it is with shm enabled. It's the transport the X server uses for communication with its client. With shm (shared memory) disabled, it has to serialize all objects and send them over a socket which of course is dog slow.

Re:Unrelated? The PDFs are the same! (2, Funny)

Tumbleweed (3706) | more than 3 years ago | (#33308008)

How can the two bugs be unrelated? both articles have the exact same link to the exact same PDF! (Hint: the pdf's filename is xorg-large-memory-attacks.pdf on both).

The identical links are caused by another bug called PEBKAC.

Re:Unrelated? The PDFs are the same! (0, Troll)

Anonymous Coward | more than 3 years ago | (#33308128)

Not really.

Microsoft marketing's pissed that Slashdot is discussing 40 currently exploitable Windows vulnerabilities, so they've paid the Slashdot shills to dupe the Linux vuln at least 40 times.

And, you might note they're STILL discussing Linux in the Windows thread....

Re:Unrelated? The PDFs are the same! (5, Informative)

lortho (700090) | more than 3 years ago | (#33308116)

It's because both articles are actually about the Wojtczuk report, and they both mis-quote Joanna Rutkowska as stating the bug is related to Spengler's X-Server flaw. She clarifies in an update to H-Online's version of the article that she was misunderstood and that they are actually unrelated.

Re:Unrelated? The PDFs are the same! (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33308138)

These bugs are further proof of Linux's underlying homosexuality. If the developers weren't so busy taking turns tea-bagging each other, the bugs would have been fixed sooner or never been there in the first place. It just goes to show what you get from a bunch of queers writing software. Using Linux will make you gay. That's the real reason Linux is given away for free.

Re:Unrelated? The PDFs are the same! (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33311512)

straighteners ghd [salehairstraightener.com]
straighteners hair [salehairstraightener.com]
hair straighteners best [salehairstraightener.com]
curly black [salehairstraightener.com]
new hair straighteners [salehairstraightener.com]
hair mini straighteners [salehairstraightener.com]
mini straighteners [salehairstraightener.com]
pink straighteners [salehairstraightener.com]
hair straighteners mini [salehairstraightener.com]
hair ceramic straighteners [salehairstraightener.com]
wide straighteners [salehairstraightener.com]
straighteners cheap [salehairstraightener.com]
travel hair straighteners [salehairstraightener.com]
hair straighteners cordless [salehairstraightener.com]
hair straighteners babyliss [salehairstraightener.com]
remington hair straighteners [salehairstraightener.com]
hair corioliss [salehairstraightener.com]

Long live to SUSE??? (0, Troll)

stanlyb (1839382) | more than 3 years ago | (#33307788)

So, is he trying to say that only SUSE is protected, and bug free, and hack free, and.........what is the reason to not have this fix in main kernel tree? For me, it sounds like some very nasty and dirty war.

Re:Long live to SUSE??? (2, Informative)

valeo.de (1853046) | more than 3 years ago | (#33307886)

No, just that this particular bug has been patched in SUSE for six years, while mainline has only just gotten the fix.

Re:Long live to SUSE??? (1, Troll)

Inner_Child (946194) | more than 3 years ago | (#33308172)

Then why wasn't the patch submitted to mainline six years ago? Or if it was, why did it take so long to get accepted?

Re:Long live to SUSE??? (0, Redundant)

alanebro (1808492) | more than 3 years ago | (#33308462)

You didn't even read the summary, let alone the article. Good work.

From the article: 'As the linked article notes: "SUSE itself has the fix and SUSE Linux Enterprise 9, 10 and 11 as well as openSUSE 11.1 through 11.3 do not exhibit this vulnerability."'

Re:Long live to SUSE??? (5, Informative)

alanebro (1808492) | more than 3 years ago | (#33308624)

Cut my post too short.

"SUSE maintainer Andrea Arcangeli provided a fix for the problem in September 2004, but for unknown reasons this fix was not included in the Linux kernel"

Re:Long live to SUSE??? (0)

Anonymous Coward | more than 3 years ago | (#33310364)

It was probably the "Linus doesn't scale" issue.

It used to be that everyone just emailed patches to Linus, and if he wasn't too drunk he would sometimes patch them into the kernel tree. This started becoming seriously unworkable in the 2.4-2.5 time period, which lead a much more systematic approach of version control systems, shorter release cycles, lieutenants and sub-maintainers and so on.

Frist plast! (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33307794)

Root privilegies allow me a higher priorite -> First post!

Re:Frist plast! (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33307852)

first post? thy fail is cherry flavored to me.

Linux! "It just works!" (-1, Redundant)

Anonymous Coward | more than 3 years ago | (#33307828)

Except, y'know, when it doesn't.

Re:Linux! "It just works!" (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33307880)

Indeed, 5 years old and no exploit. Patched several years ago by the distros. The question is why didn't it get back into the kernel tree.

Re:Linux! "It just works!" (5, Funny)

nomadic (141991) | more than 3 years ago | (#33308050)

Indeed, 5 years old and no exploit. Patched several years ago by the distros. The question is why didn't it get back into the kernel tree.

Why not ask the kernel developers? Nah, I'm not just joking, don't ask those nutjobs anything, they'll just freak out and start yelling at you.

Re: Ask the Kernel Overlords (4, Interesting)

xiando (770382) | more than 3 years ago | (#33308222)

Why not ask the kernel developers? Nah, I'm not just joking, don't ask those nutjobs anything, they'll just freak out and start yelling at you.

I've seen many similar statements, so there may be some truth to this, but my experience is that they give you a short-as-possible only-most-relevant question such as "Can you bisect?" or reply like "Patch rejected: missing signoff". It appears their time is very valuable or they have to pay $5 pr. typed letter.

Re: Ask the Kernel Overlords (5, Informative)

Zero__Kelvin (151819) | more than 3 years ago | (#33309528)

"I've seen many similar statements, so there may be some truth to this, but my experience is that they give you a short-as-possible only-most-relevant question such as "Can you bisect?" or reply like "Patch rejected: missing signoff". It appears their time is very valuable or they have to pay $5 pr. typed letter"

Behold the phenomenal power off Open Source! The time of each and every kernel developer is in fact a highly valuable commodity, yet I get the benefit of the fruits of their labor without shelling out a sixpence! And the best part? This was fixed last week [kernel.org] .

Re: Ask the Kernel Overlords (3, Interesting)

smash (1351) | more than 3 years ago | (#33310404)

So, only 6 years late then? SuSE just went way up in my book.

Re: Ask the Kernel Overlords (0, Flamebait)

buchanmilne (258619) | more than 3 years ago | (#33311220)

So, only 6 years late then? SuSE just went way up in my book.

SuSE just went way down in my book, to join the "we-don't-upstream" vendors such as Canonical.

Really, there may have been an excuse for not upstreaming this during the linus-doesn't-scale period, but other distros have explicit "patch-review-in-order-to-upstream" initiatives, this one should have been caught by SuSE some time in the last 6 years, and reviewed by their kernel maintainers, and re-submitted.

Re: Ask the Kernel Overlords (0)

Anonymous Coward | more than 3 years ago | (#33311258)

So SuSE managed to patch every new kernel they incorporated in their system to include their patch for 6 years and didn't bother to tell it upstream (again)? It should have rung a bell every time they had to reapply their patch.

Re: Ask the Kernel Overlords (1)

Provocateur (133110) | more than 3 years ago | (#33311770)

You're lucky to get a "Can you bisect?"

All I got was a "Does it blend?" and a derisive snort.

Re:Linux! "It just works!" (1, Troll)

nizo (81281) | more than 3 years ago | (#33307966)

I wonder how many bugs like this are lurking in closed source products, just waiting to be discovered and exploited?

Re:Linux! "It just works!" (0)

Anonymous Coward | more than 3 years ago | (#33308062)

And the relevance of your post other than a weak attempt at deflection is what?

Re:Linux! "It just works!" (0)

Anonymous Coward | more than 3 years ago | (#33308086)

And that's the point, in the case of closed source software you can only wonder. :-)

Re:Linux! "It just works!" (0)

Anonymous Coward | more than 3 years ago | (#33311152)

Yes, and with OSS we know exactly how many unpatched and undiscovered bugs there are!

Oh, wait..

Re:Linux! "It just works!" (3, Insightful)

MobileTatsu-NJG (946591) | more than 3 years ago | (#33308370)

I wonder how many bugs like this are lurking in closed source products, just waiting to be discovered and exploited?

I wonder how many bugs like this are lurking in open source projects, just waiting to be discovered and used against people that assume that the software they use is secure because they read Slashdot comments.

Re:Linux! "It just works!" (1)

LingNoi (1066278) | more than 3 years ago | (#33310242)

Bugs are apart of software as a whole. Every program open or closed is vulnerable to some kind of bug. The difference being however that with linux bugs I tend to hear about them after I already downloaded the fix. [slashdot.org]

Nothing to see here.... (3, Informative)

interfecio (1023595) | more than 3 years ago | (#33307898)

From the RedHat bug report: Eugene Teo (Security Response) 2010-08-12 21:44:06 EDT Linus has committed a fix for this issue: http://git.kernel.org/linus/320b2b8de12698082609ebbc1a17165727f4c893 [kernel.org]

Re:Nothing to see here.... (5, Insightful)

JohnFluxx (413620) | more than 3 years ago | (#33308058)

I don't agree that it's "nothing to see here" - something has gone wrong if it took 6 years for this to happen.

Re:Nothing to see here.... (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33308202)

Not really,

look at SuSe management after Novell has taken over , and their support to end customers . Lets talk after that.

Re:Nothing to see here.... (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#33308210)

Maybe Linus is applying for some Apple job and wanted to show that he would fit well there.

Re:Nothing to see here.... (2, Funny)

Anonymous Coward | more than 3 years ago | (#33308382)

Here at Linux Vintners, we will commit no bug fix before its time.

This properly aged bug fix boasts an intense, highly indented C syntax and fragrant blackberry, vanilla, and dark chocolate comment style with just a hint of peppercorns. Richly textured and firmly structured, its lavish blackberry, ripe black plum, dark cherry and spice flavors are enlivened by crisp lint-warning-free compilations. Given its superb balance of fruit, oak, acid and tannin, this sumptuous contextual patch aged beautifully for 6 years, and is now ready to be enjoyed with 2.6 kernels on every platform.

Re:Nothing to see here.... (3, Insightful)

petermgreen (876956) | more than 3 years ago | (#33308446)

Agreed it would be good to know where the breakdown in communication happened. Did it get ignored because the submitter didn't realise it was a security issue and report it as such? Did someone just miss an email somewhere? (and if so why wasn't there a system in place to keep track of current security bugs and make it bloody obvious which ones still needed fixing along with someone responsible for looking at that list and fixing them). Was the breakdown on the SUSE side or the upstream side?

Re:Nothing to see here.... (0, Redundant)

valeo.de (1853046) | more than 3 years ago | (#33309158)

Apparently the patch that Andrea Arcangeli submitted back in 2004 was deemed too ugly for inclusion. I've not been able to find an authoritative source on this though, so by all means take this with heaps of salt.

Re:Nothing to see here.... (4, Interesting)

jittles (1613415) | more than 3 years ago | (#33309204)

My guess would be an oversight at kernel.org. I submitted a kernel patch to the USB HID driver back in the days of 2.6.10 and 2.6.13. The driver was incorrectly suspending its state (I can't remember what it was doing off the top of my head) while it held onto a spinlock. The result was 100% CPU utilization when you called certain ioctls made available by the driver. The patch didn't make it in until 2.6.17 if I recall correctly, and not until someone with a name submitted a patch for it.

you didn't do it right (4, Informative)

Chirs (87576) | more than 3 years ago | (#33310930)

If you really want to get a fix in, the correct procedure is to keep pestering the maintainer for that area until they accept your patch. If you can't get them to accept it, you go up the chain.

Yes, in an ideal world all maintainers would be perfectly organized. In the real world things get lost, they get distracted, other issues pop up, and the patch doesn' t make it in.

If you care about it...make some noise.

Re:Nothing to see here.... (1)

_Sprocket_ (42527) | more than 3 years ago | (#33308106)

Isn't it something to see / know about until one gets that fix out to the kernel on our live system(s)? We expect a speedy fix. Now begins the race to get the fix live.

Re:Nothing to see here.... (1)

Target Practice (79470) | more than 3 years ago | (#33308674)

And I raise a mug of coffee to all my fellow sysadmins this evening. There goes my damned server uptime, and here comes my damned conscious uptime.

Sleep... she is for the weak!

Re:Nothing to see here.... (0, Troll)

h4rr4r (612664) | more than 3 years ago | (#33308760)

Why is X on a server?

Sounds like something a windows user/sysadmin would do.

Re:Nothing to see here.... (1, Troll)

_Sprocket_ (42527) | more than 3 years ago | (#33308826)

Because if you don't have a flashy screensaver going, all the black will cause the damn Windows sysadmin to think that port of the KVM is unused and he can swipe it for another box.

Re:Nothing to see here.... (1)

PReDiToR (687141) | more than 3 years ago | (#33310214)

What on earth would you need a KVM for on a Linux server?

SSH on a non-standard iptables limited port should be the only way into a Linux server, shouldn't it?

Re:Nothing to see here.... (1)

dave562 (969951) | more than 3 years ago | (#33310274)

That's all great, until the switch fails. Let me know when SSH overcomes that whole lack of network connectivity scenario.

Re:Nothing to see here.... (2, Funny)

_Sprocket_ (42527) | more than 3 years ago | (#33311180)

That's actually an inside joke. I did have a box that I had originally racked and set up on the rack KVM. Almost 2 years later, I was intending to walk up to the box and boot it in to single user mode to find out that someone had decided we never used the KVM port and had set it up for some other system. When I asked around, the best guess was that I had lost my spot on the KVM at least a year ago. I wondered aloud whether I needed to run a screensaver banner that claimed ownership of the KVM port to keep it.

And yes - the vast majority of interaction with that box was via SSH (although I had no reason to put it on a non-standard port).

Re:Nothing to see here.... (1)

Bert64 (520050) | more than 3 years ago | (#33311456)

Well, i usually use serial consoles instead of a KVM...

A basic KVM is cheap, but IP based ones are pricey.. Serial consoles are cheap and you can still access them without having to go and stand in the server room.
Plus an IP based KVM uses a lot of bandwidth to transfer screendumps over the network, making it rather useless on a slow link.... Serial is much better in this regard.

Re:Nothing to see here.... (1)

Bert64 (520050) | more than 3 years ago | (#33311440)

Apparently you need an X server to install and run some parts of Oracle...

Re:Nothing to see here.... (2, Informative)

LingNoi (1066278) | more than 3 years ago | (#33310212)

Race?

The most popular distros already patched it days ago and others are currently in testing.

Redhat patched it 2 days ago [redhat.com] .
Ubuntu patched it 2 days ago [launchpad.net] .
Fedora is currently testing the patches [spinics.net] . Not sure if it's already live.
Debian Lenny has patched it [debian.org] .

Re:Nothing to see here.... (1)

_Sprocket_ (42527) | more than 3 years ago | (#33311192)

Race?

The most popular distros already patched it days ago and others are currently in testing.

Yes, race. All that is part of it. But that doesn't put the kernal live on any given system. I have to take that step. And, depending on your environment, that may require a bunch of other operational steps.

I'm not making a comment on the difficulty of doing any of this (it tends to be quick and painless in most situations). I'm noting that this is, in fact, news. There IS something to see here. People who are in the position to update a kernal should know about this and know to push it (if they haven't already).

Re:Nothing to see here.... (4, Insightful)

Americano (920576) | more than 3 years ago | (#33308174)

Nothing to see here? Will you say the same thing when Microsoft waits 6 years to apply a fix to WinXP? :)

Yes, these things are less likely to happen with Linux. That doesn't mean Linux kernel processes are above reproach, and can't be made more responsive & accountable in cases like this where somebody obviously dropped the ball on merging a patch somewhere. I hope they spend a little time reviewing how this got missed, to make sure it's not a flaw in their process that could allow it to happen again.

Re:Nothing to see here.... (1)

gmuslera (3436) | more than 3 years ago | (#33308208)

Still is something to see there, at least for a few days till maintained distributions push that patch to their kernels and pushes them to the people that keep doing security updates. And for old, running unmaintained distributions servers, could be a bit more complicated. Still, this is a local vulnerability, and not exactly trivial to exploit.

Re:Nothing to see here.... (3, Funny)

Beelzebud (1361137) | more than 3 years ago | (#33308282)

"Nothing to see here....." says Lt. Frank Drebin, as the fireworks factory behind him burns to the ground.

Compare to Apple... (2, Interesting)

Myria (562655) | more than 3 years ago | (#33310812)

Compare this to Apple, which still hasn't fixed my Darwin kernel ring 0 exploit, which I reported in June.

It's x86-only, so no, it can't be used for the second step of an iPhone jailbreak. =(

Wait... what? (0, Troll)

Dumnezeu (1673634) | more than 3 years ago | (#33307946)

I don't understand TFH / TFS / TFA. Are we talking about local privilege escalation by overwriting the memory space owned by processes running as root?

Re:Wait... what? (0)

Anonymous Coward | more than 3 years ago | (#33308022)

Yes.

Re:Wait... what? (2, Informative)

Short Circuit (52384) | more than 3 years ago | (#33308136)

If I read the git patch correctly, if said root process has a memory-mapped page coincident with a non-root process, and the non-root process can write to said memory mapped region (via having it memory mapped into their own process), then said non-root process can affect the behavior of the root process.

What was broken, and appears to have been corrected, is that an application's *stack* could grow into a memory-mapped page and corrupt the data in the root process while it's at it. (The stack is a piece of memory that hold data about the functions currently executing in a particular thread in your program.)

(enter educated guess section; I spend most of my time coding userland apps on Windows, not Linux.)

The case where this seems most possible to exploit is the loading of shared libraries. I don't know if the same mmap mechanism is used by the kernel, though. While it's entirely probable that writing to that region is protected, so long as the application is doing so under its own memory privilege level, it's possible that there's a syscall into the kernel that expands a thread's stack when the allocated memory for that stack is nearly exhausted. The syscall's operations run with kernel privileges, and it looks like the stack page allocator wasn't sufficiently checking the properties of the userland address it was allocating stack into.

(end educated guess section; I'm probably wrong, anyway.)

Re:Wait... what? (4, Informative)

mandelbr0t (1015855) | more than 3 years ago | (#33308248)

Actually, no, this is a simple Stack Buffer Overflow. Basically, by causing a running privileged process (e.g. X Server) to make a recursive call, the stack will grow into memory space owned by the unprivileged user. Now, all the unprivileged user has to do is put some code somewhere (perhaps by exploiting another buffer overflow) and rewrite the return address, which lives in its memory page.

The fix adds a guard page between the shared memory region and the system stack to protect against the stack growing into memory where it is no longer protected. At any rate, ProPolice would have prevented this mistake from being exploitable.

Re:Wait... what? (1)

Short Circuit (52384) | more than 3 years ago | (#33308362)

Wait...they didn't already have a guard page? I kinda assumed that was already there. Ow.

*marks self down as "needs improvement" in patch reading comprehension skills*

Ummmmm, a local exploit. (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#33308148)

But that would indicate the attacker has access to the machine, and once that happens it a lost cause regardless. This is a non story.

Re:Ummmmm, a local exploit. (2, Insightful)

maxwell demon (590494) | more than 3 years ago | (#33308220)

No, normally access to the machine at user level should not imply access to the machine at root level.

Re:Ummmmm, a local exploit. (0)

Anonymous Coward | more than 3 years ago | (#33308292)

I'm logged into a server with >100 other users at the moment.

I don't have root access and in all likelihood never will (unless I become an admin, which involves passing 2 tests and getting elected).

The possibility of me, or any of the other 100 non-admins, getting root access to the machine is a very big deal.

Re:Ummmmm, a local exploit. (2, Interesting)

Beelzebud (1361137) | more than 3 years ago | (#33308364)

If it's a non-story then why did Linus patch it today? Apparently he didn't agree with your flippant way of looking at OS security.

ZOMG!!! (0, Troll)

Schnoogs (1087081) | more than 3 years ago | (#33308342)

Windows is so unsafe!! Linux is so much better. Micro$oft is evil...their software is buggy. Linux is teh best eva. Linux + firefox is for real users. Windows and IE are for people who want to get hacked!!!!

ZOMG!!!! Windows is so lame!! Linux is teh best eva made and is so uber smart to use!!!

Re:ZOMG!!! (3, Insightful)

Dunbal (464142) | more than 3 years ago | (#33308440)

What part of "local attackers" do you fail to understand?

Re:ZOMG!!! (4, Funny)

GameboyRMH (1153867) | more than 3 years ago | (#33308576)

Cut the guy a break, he's a Windows fanboy. He probably thinks a local user is just anyone in the same geographic region.

Re:ZOMG!!! (2, Insightful)

cbhacking (979169) | more than 3 years ago | (#33308952)

He's a troll, but that doesn't mean that there isn't a grain of truth to what he implies. Most Windows exploits are also technically local attacks, as are Trojans (by definition). Somebody thinking that they're safe (because the software runs with limited permissions) would be in for a nasty surprise if an attacker exploited this.

Re:ZOMG!!! (0)

Anonymous Coward | more than 3 years ago | (#33311942)

Most Windows exploits are also technically local attacks

I dispute that. I always read the notes on the various updates that microsoft keeps pushing out to my windows machines, and quite a few of them talk about unauthenticated remote attackers being able to take over a system. Not all do, not even all the critical ones, but enough do.

Re:ZOMG!!! (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#33309940)

You both eat dicks. Sad you fucks can't afford a real computer.

Tuesday (2, Funny)

dandart (1274360) | more than 3 years ago | (#33308482)

At least we don't have to wait for four Tuesdays' time for the fix...

You're holding it wrong.

Re:Tuesday (4, Funny)

Gadget_Guy (627405) | more than 3 years ago | (#33309688)

At least we don't have to wait for four Tuesdays' time for the fix...

No, we had to wait over 300 Tuesdays for the fix to the kernal. That's 75 times better!

Re:Tuesday (0)

Anonymous Coward | more than 3 years ago | (#33311708)

Ohh come on. Microsoft doesn't fix it and then once they do you still have to wait for patch Tuesday! Give me a break. This just got overlooked somehow. Once it was realized we had patches in days not weeks or months. There isn't a patch Tuesday on GNU/Linux land.

Re:Tuesday (0)

Anonymous Coward | more than 3 years ago | (#33311914)

At least we don't have to wait for four Tuesdays' time for the fix...

No, we had to wait over 300 Tuesdays for the fix to the kernal. That's 75 times better!

Kern*a*l? I was about to cheer that there are survivors from the Commodore 64 era, but your UserID is too high for that...

The Beauty of Open (1, Troll)

amiga3D (567632) | more than 3 years ago | (#33308732)

Amazing that SUSE fixed this in it's distro. In the proprietary world they'd still be waiting for the OS maker to fix it. SUSE just fixed it themselves. Many windows bugs could have been fixed but yet remained waiting for years until MS got around to it.

Re:The Beauty of Open (0)

Anonymous Coward | more than 3 years ago | (#33311498)

Mmmh.. isn't Suse an OS maker ?
I don't care if they get the kernel from somewhere else, they are selling me an OS.

Wow! Linux is really Secure. (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#33309630)

I thought only Microsoft wrote Bugs and Linux has no security holes.

What happened?

Look at this graph: http://linuxinsecurity.blogspot.com/

Certainly, someone is wrong!

Re:Wow! Linux is really Secure. (4, Insightful)

jours (663228) | more than 3 years ago | (#33310344)

Look at this graph: http://linuxinsecurity.blogspot.com/ [blogspot.com]

Please do. Notice how the graphs show Windows with 10-12% of the issues unpatched?

That's the problem. Well that and the missing graph showing "time to patch"...

Re:Wow! Linux is really Secure. (2, Informative)

rolfc (842110) | more than 3 years ago | (#33311278)

Yes, something is seriously wrong with this comparison. You compare a clean and unused operatingsystem with a fullfledged Linuxdistribution with a lot of applications.

Of course the Linuxdistribution will have more bugs, but you dont have to install all the software that comes with it. On the other hand, to be able to use the Windows server to something useful, you have to install more Microsoft and/or thirdparty software. It isnt even a webserver without installing more software in Secunias statistics. IIS has its own category.

Dont compare apples and pears, you will only fool yourself.

Re:Wow! Linux is really Secure. (1)

Bert64 (520050) | more than 3 years ago | (#33311480)

Also that full fledged linux distro has a single update mechanism for all of the applications... If you install equivalent apps on a windows system chances are they will need their own separate update mechanisms, or not have an update system at all, which massively increases the chance of unpatched apps being present.

Already fixed in Ubuntu (4, Informative)

LingNoi (1066278) | more than 3 years ago | (#33310162)

So I read the PDF...

The Linux kernel versions that include the commit 320b2b8de12698082609ebbc1a17165727f4c893 from Linus tree are fixed.

which is the patch.. "Patch "mm: keep a guard page below a grow-down stack segment" has been added to the 2.6.32-stable tree"

and meanwhile my ubuntu update managaer pops up and shows an update for the kernel and gives the following link to the changelog...
http://launchpad.net/ubuntu/+source/linux/2.6.32-24.41/+changelog [launchpad.net]

* mm: keep a guard page below a grow-down stack segment - CVE-2010-2240

Nice to see people are on the ball with security updates, even if it shouldn't have been happened in the first place.

Napa Valley Wine Tours for Everlasting Memories (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33311170)

Every year cheap aion gold [gamevive.com] the percentage for holiday makers keeps on increasing in Napa valley. People from all over the world love to travel in this exotic place with their loved ones for various reasons. Through its charming beauty and sightseeing it has cheap wow power leveling [gamevive.com] made many visitors to turn up here again and again so as to have a comfortable and relax-able stay. During your stay in this valley aion kina [aionrealm.com] region you will never develop a feeling of saying that you are staying away from your home town. This is for the reason that valleys welcoming nature and friendliness of people who are staying over aion online gold [aionrealm.com] are ready to serve you in a much better way.
    The reason aion kinah [gamevive.com] that lies behind the popularity of this valley region is their breathtaking wineries and wines. Yes you heard it right; along with other touring options ffxiv gold [gamevive.com] this valley region allows you to have your visit in their wineries too. It doesn’t end here along with your visit in wineries you are even buy ffxiv gil [gamevive.com] permitted to taste their vibrant wines which is served to you right from their wine storage facility. It means wines which are readily prepared and are ready for supply all over there world is made available for cheap ffxiv gold [gamevive.com] you.
    In this trip along with your visit in wineries and tasting of wines you are even allowed to witness the process of wine making. Individuals who are willing to watch the buy aion kinah [gamevive.com] activities of harvesting aion online account [gamevive.com] can have their stay in mid-September through October. During this period activity like picking of grapes, sorting table, crushing and fermentation process will be performed. Grapes are one of the aion time card [gamevive.com] most important resources in Napa valley that is used for producing wines. Varieties of grapes are grown so as to produce varieties of wines.
    In Napa valley wine tours you can enhance your buy aion account [gamevive.com] knowledge in wine making as well as you will even come to know about the origin of wines. If you are visiting for the first time then there is no buy wow game card [gamevive.com] point in getting worried as for the reason there are many tour operators who are ready to guide you in every step. You can choose your operators based on your budget and depending on the accommodation purpose too. They wow powerleveling [gamevive.com] will make sure to take you to world’s renowned wineries that are present over here. Along with visit in wineries and wine tasting you world of warcraft cd key [gamevive.com] are given an option of viewing their art galleries, witness the beauty of valley, and go for sightseeing along with the option of having picnic ffxiv power leveling [power2level.com] lunch in their vineyards. Napa valley wine tours will never come to an end as there are many things to watch it will thrive you to ffxiv power level [power2level.com] capture each and every moment of yours stay so as to having everlasting memories.
    Halloween pumpkin carving is aion power leveling [power2level.com] no longer just cutting some eyes and a mouth. Now you can carve sophisticated designs with the use of pumpkin kits developed by some very creative people. You can also find free printable Pumpkin patterns online, gw2 power leveling [power2level.com] so have a cheap aion power level [power2level.com] look around. Pin or tape your chosen pattern onto your pumpkin and cut out the black areas of the pumpkin pattern, and then tape the pattern to the pumpkin.
    Using a sharp tool press rows of 'dots' along buy wow power leveling [power2level.com] the features of the pattern. On large designs you can use the larger poker and place the dots farther apart, but for detailed designs, use the small buy wow leveling [power2level.com] poker and place the dots close together. Remove the pattern when you have done this stage but do not discard it, but use if as reference as to how the design should look. To carve your pumpkin simply buy warhammer power leveling [power2level.com] cut along the dots like a 'dot to dot' puzzle.

Old news ;) (1)

Lavene (1025400) | more than 3 years ago | (#33311654)

It's funny to see the windows people taking such satisfaction in Linux bugs and completely disregard the time it takes from disclosure to a fix is available. Usually I've already installed the fixed version before I read about it on slashdot. It's just a matter of subscribing to my distro's security announcement mailinglist and upgrade if I run the affected software.
So in most cases, when i read about bad bugs in Linux it's 'old news'.

(Blatantly ignoring the six years it took to actually get the fix into the kernel this time)
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...