Vulnerabilities in udev

Ken Moffat ken at linuxfromscratch.org
Mon Apr 27 12:02:00 PDT 2009


On Mon, Apr 27, 2009 at 12:53:41PM -0500, Mike McCarty wrote:
> > 
> >  All users who run udev are recommended to upgrade and reboot.
> 
> Why? What I see there shows two vulnerabilities indeed, but perhaps
> not for everyone. ISTM that they require a hostile local user, or at
> least one with a running local agent. I don't see how my LFS machine
> is vulnerable if
> 
> 	no serial cable is connected
> 	no network cable is connected
> 	no PLIP is running or connected
> 	nobody lives in my house who wants to do my machine mischief
> 
> I am not expert, so I perhaps am not able to see how the vulnerabilities
> listed affect my machine. Could you be more specific about how the
> vulnerabilities are subject to exploit? I'd appreciate that very much.
> IOW, I'd like to see something which would allow us to evaluate what
> our exposure might be.
> 
> Mike
 If, like many of us, you only have a single human user then you can
do a risk assessment and decide you don't need to update.  Nobody can
recommend running known-vulnerable software, but for _everything_ on
your LFS box you make your own choices.

 If you have multiple human users, it is generally a good idea to
mistrust them when you are in your sysadmin role.

 I'm not an expert either, and unlike regular distros we can't
subscribe somebody to the full-disclosure list where at least one
proof-of-concept has apparently circulated.

ĸen
-- 
das eine Mal als Tragödie, das andere Mal als Farce



More information about the lfs-support mailing list