Vulnerabilities in udev

Ken Moffat ken at linuxfromscratch.org
Mon Apr 27 06:32:51 PDT 2009


 I'm posting this to the lfs-dev and {,b}lfs-support lists.  If
you wish to reply, please just reply to the list (NOT "to all" -
that might cause rejections if you aren't subscribed to all the
lists).

 There are two vulnerabilities in versions of udev before udev-141.

(i.) For all previous versions, netlink messages can be received
from local users, allowing privilege escalation.  CVE-2009-1185

(ii.) There is a potential buffer overflow in the util_path_encode
function - rated as a denial of service.  This function was
introduced comparatively recently (somewhere between versions 114
and 124) so it does not apply to older versions.  CVE-2009-1186

 All users who run udev are recommended to upgrade and reboot.
Unfortunately, dropping in a newer version of udev to an old
system is not generally a good idea.  I recommend the following
alternatives.  I'll spell this out in full, apologies to those
who already know what to do.

1. Ensure you have backups (in this case, the files installed by
udev), plus a means of restoring them if udev breaks (e.g. separate
system on same machine, or rescue CD).

2. If you are running with the development book, a straight upgrade
to -141 is likely to work.  My own newest system had udev-137, and
works fine with -141 (I tried to port the fixes, but ended up having
to copy a lot more of the recent changes to get it to compile, so I
tried a straight upgrade).  Of course, YMMV.

3. If you are running udev-130 (e.g. LFS-6.4) there is a patch in
-patches, udev-130-security_fixes-1.patch : this was backported to
udev-124 by fedora, then I forward-ported it : let's hope I got it
right!

4. If you are running a version between -085 and -114, use the
udev-113-security_fix-1.patch (I have one old LFS-6.3 system I want
to keep usable) : this was backported by SUSE for -114 but looking
at their naming it seems it will apply to the range of versions.

5. For all other versions, pick the nearest version you can find
from what the distros are supporting, extract the patch or patches,
and port as necessary to the version you are running.  Fun!

 When building an old version, don't forget to use the instructions
that applied when you built it originally!  You do keep either the
version of the book that you used, or buildscripts, right ?  The
released version of the books are mostly at
http://archive.linuxfromscratch.org/lfs-museum/

 The following distros support the following versions:
debian: 105, 125
fedora: 124, 127
gentoo: 124
ubuntu: 079, 113, 117, 124 - unfortunately, I've been unable to
 download from ftp.ubuntu.com for the past few days.

 I've listed these distros because they are usually easy to access
for the source.  If for some reason you are running an even older
version of udev, there are some fixes in other distros.

ĸen
-- 
das eine Mal als Tragödie, das andere Mal als Farce



More information about the blfs-support mailing list