[vox] Linux kernel vulnerability

[Rob Rogers]

Just an update on the kernel vulnerablility Bill brought up last night.
I couldn't remember the exact details, and wasn't sure how far back it
went. Looks like it dates back to Dec 99, and affects all 2.4.x and
2.6.x kernels (2.4.0 was released Jan 01) 2.2.x has been confirmed to
not be affected, but looking at the dates, I'd assume if you happen to
be running a late 2.3.x kernel (not likely, but you never know) you will
be vulnerable.

Here's the text from the DSA (Debian Security Announcement):
"Paul Starzetz discovered a flaw in bounds checking in mremap() in the
Linux kernel (present in version 2.4.x and 2.6.x) which may allow a
local attacker to gain root privileges."

Also, it seems to have been a busy 2 days for security bugs. There were
7 DSA's issued Monday, and another 4 on Tues. (compared to 6 total for
Nov., and 3 in Dec.). Here's just the brief synopsis of these, avaliable
at http://security.debian.org for those of you who are interested (and,
for those of you running other distros, none of these are debian
specific bugs)

[06 Jan 2004] DSA-416 fsp
    buffer overflow, directory traversal
[06 Jan 2004] DSA-415 zebra
    denial of service
[06 Jan 2004] DSA-414 jabber
    denial of service
[06 Jan 2004] DSA-413 linux-kernel-2.4.18
    missing boundary check
[05 Jan 2004] DSA-412 nd
    buffer overflows
[05 Jan 2004] DSA-411 mpg321
    format string vulnerability
[05 Jan 2004] DSA-410 libnids
    buffer overflow
[05 Jan 2004] DSA-409 bind
    denial of service
[05 Jan 2004] DSA-408 screen
    integer overflow
[05 Jan 2004] DSA-407 ethereal
    buffer overflows
[05 Jan 2004] DSA-406 lftp
    buffer overflow