Gentoo Logo
Gentoo Spaceship

Get Started
Gentoo Handbook

Security Announcements
Infrastructure Status

Gentoo Handbook
Featured Documentation
IBM dW/Intel article archive

Get Gentoo

Discussion Forums
IRC Channels
Mailing Lists
Report Issues
Planet (Blogs)
Online Package Database
Contact Us

Get Involved
Report Issues
Help Wanted
Help maintaining packages
Discussion Forums
IRC Channels
Mailing Lists
Become a Developer
Offer Resources
Enhancement Proposals (GLEPs)
Source Repositories
Developer's Manual

Developer List
Developer Map
Gentoo Stores

About Gentoo
Social Contract
Name and Logo Guidelines
Logos and themes

Kernel security exploits: Upgrade ASAP
Posted on February 13, 2008 by Donnie Berkholz


Two major security flaws in the Linux kernel were reported last weekend. Both flaws have the same impact (root access for local users) and both exist within the vmsplice() system call, which was added to the kernel in 2.6.17. There is no configuration option to exclude vmsplice() so everyone is vulnerable.

One of the security issues existed for the entire lifetime of vmsplice(), so any kernel version from 2.6.17 onwards is vulnerable. This was fixed in, and It has been assigned the vulnerability identifier of CVE-2008-0600.

The other security issue first appeared in 2.6.23. It was fixed in and This vulnerability has been assigned CVE-2008-0009 and CVE-2008-0010.

gentoo-sources-2.6.23-r8 and gentoo-sources-2.6.24-r2 were added to the tree Monday and include fixes for both issues. Install the latest gentoo-sources as quickly as possible.

Gentoo isn't releasing GLSAs for kernels because of the huge amount of work to track them for all 18 of our available kernel sources and versions within each of those. If you'd like to help change this by contributing, contact our security team.

Code Listing 1.1: Upgrade to a secure kernel

On stable systems, do this
# emerge =gentoo-sources-2.6.23-r8

If you use ~arch keywords instead, do this
# emerge =gentoo-sources-2.6.24-r2

After that, follow the Kernel Upgrade Guide.

Discuss this!

Daniel Drake and Tobias Scherbaum contributed the draft for this announcement. Doug Klima noted that 2.6.23 should be the default because it's stable. Sasaki Kojiro suggested linking to the upgrade guide.

Page updated February 13, 2008

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.