On Mon, May 12, 2008 at 11:52:27PM +0100, Dominic Hargreaves wrote: > On Mon, May 12, 2008 at 03:13:14PM -0600, dann frazier wrote: > > > Vulnerability : denial of service > > > CVE-2008-1669 > > > > Alexander Viro discovered a race condition in the fcntl code that > > may permit local users on multi-processor systems to execute parallel > > code paths that are otherwise prohibited and gain re-ordered access > > to the descriptor table. > > Is there any reason this has been labelled as a DoS rather than an > potential arbitrary code execution issue (which > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1669 suggests it is) - eg > are there mitigating circumstances in the Debian kernel?
hey Dominic, At the time I prepared this upload, I was under the impression that this was a potential arbitrary code execution issue (with no known exploit). However, while preparing the DSA I didn't find convincing evidence that this was more than a DoS. I could of course be wrong, and if I am I'll be happy to update the advisory. > It seems odd that Debian would release a new kernel for a single > DoS-only vulnerability. Yes, normally local DoS fixes are queued up and released in batches. -- dann frazier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
