-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Hadmut Danisch wrote:
> Your assumption is false here. The kernel maintainers DO NOT say this:
> Read the README file, it does not contain any statement that you do
> not have to compile as root. They silently explain how to compile if
> you are n
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I mentioned that the gentoo kernel does not have this problem, other
distros have been shown to have safe file permissions in the kernel
tree, so there is a way to have permissions 'fixed' on distribution. But
before that, and ultimately, it's up to us
Chris Umphress wrote:
>> That assumes a proper umask. The kernel source should not depend on
>> the end user's umask being setup properly.
>
> Is it the kernel developers' fault if your umask is extremely lax for
> a normal user? If it is lax, security of the kernel source isn't your
> only problem
On 9/8/06, Hadmut Danisch <[EMAIL PROTECTED]> wrote:
Ironically, if Microsoft distributed such files everyone would shout
"hidden backdoor!"
That's a fact, but don't forget that the upstream kernel is not being
shipped as part of an update to a commercial product. Besides,
permissions are not h
On Thu, Sep 07, 2006 at 05:04:39PM -0400, Troy Cregger wrote:
>
> kernel-2.6.17-gentoo-r7 seems OK.
>
> $ find /usr/src/linux-2.6.17-gentoo-r7/ -perm -666 ! -type l | wc -l
> 0
> $
The debian kernel is OK as well.
It's just the upstream kernel which has this flaw.
But this shows that gent
Hadmut Danisch wrote:
> On Fri, Sep 08, 2006 at 12:52:22AM +0530, Raj Mathur wrote:
>> I wouldn't know if something has changed drastically between 2.6.16
>> and 2.6.17.11, but:
>>
>> [EMAIL PROTECTED]:~$ find /usr/src/linux-2.6.16/ -perm -666 ! -type l
>> [EMAIL PROTECTED]:~$
>>
>> Not a single wo
On Thu, Sep 07, 2006 at 08:23:04PM +0200, Hadmut Danisch wrote:
> Hi,
>
> there's a severe vulnerability in the Linux kernel source code archives:
>
>
a similar problem was published sometime ago:
http://attrition.org/security/advisory/gobbles/GOBBLES-16.txt
--
j
EOM
_
-BEGIN PGP SIGNED MESSAGE-
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf
> Of Hadmut Danisch
> Sent: 07 September 2006 19:23
> To: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: [Full-disclosure
On Fri, Sep 08, 2006 at 11:44:02AM +0100, Lee Ball wrote:
>
> Sorry to add my 2 pence worth but I noticed that Raj ran his command as
> a normal user and you Hadmut have ran yours as root. Isn't it going to
> be ok as the directories above these world writeable files aren't
> writeable/readable by
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
kernel-2.6.17-gentoo-r7 seems OK.
$ find /usr/src/linux-2.6.17-gentoo-r7/ -perm -666 ! -type l | wc -l
0
$
Hadmut Danisch wrote:
> On Fri, Sep 08, 2006 at 12:52:22AM +0530, Raj Mathur wrote:
>> I wouldn't know if something has changed drastically bet
On Fri, Sep 08, 2006 at 12:52:22AM +0530, Raj Mathur wrote:
>
> I wouldn't know if something has changed drastically between 2.6.16
> and 2.6.17.11, but:
>
> [EMAIL PROTECTED]:~$ find /usr/src/linux-2.6.16/ -perm -666 ! -type l
> [EMAIL PROTECTED]:~$
>
> Not a single world-writable file or direc
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> "Hadmut" == Hadmut Danisch <[EMAIL PROTECTED]> writes:
Hadmut> [snip]
Hadmut> When unpacking such an archive, tar also sets the uid,
Hadmut> gid, and file permissions given in the tar
Hadmut> archive. Unfortunately, plenty of fi
Hi,
there's a severe vulnerability in the Linux kernel source code archives:
The Linux kernel is distributed as tar archives in the form of
linux-2.6.17.11.tar.bz2 from kernel.org. It is usually unpacked,
configured and compiled under /usr/src. Since installing a new kernel
requires root privile
13 matches
Mail list logo