> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of Sam Skipsey
> Sent: 18 August 2009 14:11
> To: [log in to unmask]
> Subject: Re: UPDATE: Regarding CVE-2009-2692 local root vulnerability
>
> Mingchao,
>
> Correct me if I'm wrong, but on Friday, the advice from RH already
> listed those modules
> (indeed, the TB-SUPPORT thread from Friday shows that everyone was
> blacklisting + disabling bluetooth, pppox and sctp kernel modules).
Sorry, I did not notice it :-(. I just saw it was updated yesterday and did
not compare with the previous list.
> Did you typo? (Pulseaudio *may* be a vulnerability on later kernels,
> but it doesn't seem to be mentioned by RH in their advisory, for
> example.)
Yes, you are right. My guess is that RH does not ship pulseaudio in default.
As it is not in RH system, RH did not mention it. However, I saw it in
Fedora and also in Ubuntu. It seems that Debian/Ubuntu/Mandrake is
vulnerable to it as stated in CVE-2009-1894 and also here:
http://www.securityfocus.com/bid/35721 (where no RH is listed).
Apologized again for the false alarm :-(.
Thanks Sam and Alessandra for pointing it out!
PS: the exploit code I saw will try pulseaudio at the last step if it failed
to map the payload to page zero via other means.
Cheers,
Mingchao
> Sam
>
> 2009/8/18 Ma, Mingchao (STFC,RAL,ESC) <[log in to unmask]>:
> > Hi all,
> >
> > Please note, the workaround from RH:
> > https://bugzilla.redhat.com/show_bug.cgi?id=516949#c10 was updated at
> Aug
> > 17, 2009 20:45 EST. Please check it if you applied the workaround on
> last
> > Friday. It appears that two more modules (install pppox /bin/true and
> > install bluetooth /bin/true) are added.
> >
> > Cheers,
> >
> > Mingchao
> >
|