Gentoo Logo
Gentoo Spaceship

Get Started
Gentoo Handbook
Downloads

News
Security Announcements
Calendar
Infrastructure Status

Documentation
Gentoo Handbook
Featured Documentation
IBM dW/Intel article archive

Get Gentoo
Downloads
Mirrors

Community
Discussion Forums
IRC Channels
Mailing Lists
Report Issues
Planet (Blogs)
Online Package Database
Wiki
Contact Us
Sponsors

Get Involved
Report Issues
Help Wanted
Help maintaining packages
Discussion Forums
IRC Channels
Mailing Lists
Become a Developer
Offer Resources
Enhancement Proposals (GLEPs)
Source Repositories
Developer's Manual

Other
Developer List
Developer Map
Gentoo Stores
Projects

About
About Gentoo
Philosophy
Social Contract
Name and Logo Guidelines
Logos and themes
Screenshots



Kernel security exploits: Upgrade ASAP
Posted on February 13, 2008 by Donnie Berkholz

tux

Two major security flaws in the Linux kernel were reported last weekend. Both flaws have the same impact (root access for local users) and both exist within the vmsplice() system call, which was added to the kernel in 2.6.17. There is no configuration option to exclude vmsplice() so everyone is vulnerable.

One of the security issues existed for the entire lifetime of vmsplice(), so any kernel version from 2.6.17 onwards is vulnerable. This was fixed in 2.6.24.2, 2.6.23.16 and 2.6.22.18. It has been assigned the vulnerability identifier of CVE-2008-0600.

The other security issue first appeared in 2.6.23. It was fixed in 2.6.23.15 and 2.6.24.1. This vulnerability has been assigned CVE-2008-0009 and CVE-2008-0010.

gentoo-sources-2.6.23-r8 and gentoo-sources-2.6.24-r2 were added to the tree Monday and include fixes for both issues. Install the latest gentoo-sources as quickly as possible.

Gentoo isn't releasing GLSAs for kernels because of the huge amount of work to track them for all 18 of our available kernel sources and versions within each of those. If you'd like to help change this by contributing, contact our security team.

Code Listing 1.1: Upgrade to a secure kernel

On stable systems, do this
# emerge =gentoo-sources-2.6.23-r8

If you use ~arch keywords instead, do this
# emerge =gentoo-sources-2.6.24-r2

After that, follow the Kernel Upgrade Guide.

Discuss this!

Daniel Drake and Tobias Scherbaum contributed the draft for this announcement. Doug Klima noted that 2.6.23 should be the default because it's stable. Sasaki Kojiro suggested linking to the upgrade guide.




Page updated February 13, 2008

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.