after 5 years linux discovers a stupid critical bug in its kernel and all linuxbased cloudservices have to take notice

"This memory corruption flaw is certainly nothing like OpenSSL's remotely exploitable Heartbleed – CVE-2014-0196. But this local root hole is problematic where users are sharing the same Linux host in the cloud.



Here's how US-CERT described the issue:

“The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the 'LECHO & !OPOST' case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.”

A user only needs shell access to be in a position to exploit the programming blunder.

The bug was introduced in 2009 with version v2.6.31-rc3 of the kernel. Before that, as noted at this Novell SUSE security discussion, “pty [the pseudo-terminal – El Reg] was writing directly to a line discipline without using buffers”

open source is more secure because everybody has the possibility of checking the code - they say

that it takes 5 years to discover this tells a lot of the number of people who are busy with checking the code (every 5 years)

and they can't say that the kernel isn't critical and shouldn't have been closed down and checked and tested long long long long before

trust what I say, not what I say I do

The comments are closed.