I don't think we have a security advisory out for this particular kernel bug; is anyone working/going to be working on this?
-- An Thi-Nguyen Le |QOTD: | "I used to go to UCLA, but then my Dad got a job."
--- Begin Message ---Chris Evans <[EMAIL PROTECTED]> writes: > There exists a Linux system call sysctl() which is used to query and > modify runtime system settings. Unprivileged users are permitted to query > the value of many of these settings. It appears that all current Linux kernel version (2.2.x and 2.4.x) are vulnerable. Right? Was it really necessary to release this stuff just before the weekend? The following trivial patch should fix this issue. (I wonder how you can audit code for such vulnerabilities. It's probably much easier to rewrite it in Ada. ;-) --- sysctl.c 2001/02/10 09:42:12 1.1 +++ sysctl.c 2001/02/10 09:42:26 @@ -1123,7 +1123,7 @@ void *oldval, size_t *oldlenp, void *newval, size_t newlen, void **context) { - int l, len; + unsigned l, len; if (!table->data || !table->maxlen) return -ENOTDIR; -- Florian Weimer [EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
--- End Message ---
