udev: Multiple vulnerabilities

Security Team Contact Address

Updated April 18, 2009

1. Gentoo Linux Security Advisory

Package	Vulnerable versions	Unaffected versions	Architecture(s)
sys-fs/udev	< 124-r2	>= 124-r2	All supported architectures

Related bugreports: #266290

Two errors in udev allow for a local root compromise and a Denial of Service.

2. Impact Information

udev is the device manager used in the Linux 2.6 kernel series.

Sebastian Krahmer of SUSE discovered the following two vulnerabilities:

udev does not verify the origin of NETLINK messages properly (CVE-2009-1185).
A buffer overflow exists in the util_path_encode() function in lib/libudev-util.c (CVE-2009-1186).

A local attacker could gain root privileges by sending specially crafted NETLINK messages to udev or cause a Denial of Service.

3. Resolution Information

There is no known workaround at this time.

All udev users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-fs/udev-124-r2"

4. References