Tuesday, September 09, 2008

Linux Kernel and silent fixes

The Linux Kernel 2.6.26.4 provides a patch called "sctp: fix potential panics in the SCTP-AUTH API" that fixes some NULL pointer dereferences and an information disclosure vulnerability I found in the SCTP-AUTH API.

The NULL pointer dereferences can be used to cause a kernel panic (denial of service) as an unprivileged user but seem not to be exploitable to execute code in the kernel context.

The information disclosure vulnerability - which is btw. not mentioned at all in the patch nore in the kernel changelogs - can be reliably exploited to read arbitrary (kernel) memory as an unprivileged user.

It's quite disturbing to see that security vulnerabilites are indeed silently fixed by some linux kernel developers / maintainers.