Vulnerabilities in udev

Mike McCarty Mike.McCarty at sbcglobal.net
Mon Apr 27 12:28:39 PDT 2009


Ken Moffat wrote:

Thanks for your kind reply.

> On Mon, Apr 27, 2009 at 12:53:41PM -0500, Mike McCarty wrote:

[...]

>> I am not expert, so I perhaps am not able to see how the vulnerabilities
>> listed affect my machine. Could you be more specific about how the
>> vulnerabilities are subject to exploit? I'd appreciate that very much.
>> IOW, I'd like to see something which would allow us to evaluate what
>> our exposure might be.
>>
>> Mike
> If, like many of us, you only have a single human user then you can
> do a risk assessment and decide you don't need to update.  Nobody can
> recommend running known-vulnerable software, but for _everything_ on
> your LFS box you make your own choices.

Well, naturally, but what I had in mind was how to evaluate my
exposure.

> If you have multiple human users, it is generally a good idea to
> mistrust them when you are in your sysadmin role.

Yes, of course. That is good advice. I actually also mistrust
*myself*, which is why I don't log in as root, normally just
do a few sudo's, and if necessary su to root for a little while.
Not that I think I am malicious (to my *own* machine, anyway :-) )
but because everyone makes mistakes, and I'm not immune.

>  I'm not an expert either, and unlike regular distros we can't
> subscribe somebody to the full-disclosure list where at least one
> proof-of-concept has apparently circulated.

Well, you see there are two exposures involved, the obvious one

	possible exploit of known vulnerability

and the less obvious one

	replacing working code with with defective code

The first exposure is relatively easy to evaluate; the latter is less
so, but exists nonetheless. I like to hear that a given patch or other
fix has "burnt in" for a while, especially where exposure due to
the know vulnerability has low or even nonexistent possibility of
exploit.

I was hoping to get more information about how to evaluate my exposure.

Thanks again!

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!



More information about the lfs-support mailing list