Vulnerabilities in udev

Mike McCarty Mike.McCarty at sbcglobal.net
Mon Apr 27 20:24:59 PDT 2009


Agathoklis D. Hatzimanikas wrote:
> On Mon, Apr 27, at 02:52 Bruce Dubbs wrote:
>> Mike McCarty wrote:
>>

[...]

>>>
>>> I was hoping to get more information about how to evaluate my exposure.
>> Look at the source of the patch.  The header says that the changes are from 
>> upstream.  They will be in future versions of the code.  To evaluate the 
>> vulnerability, the header says it fixes CVE-2009-1185 and CVE-2009-1186.  Google 
>> that and you can read all about it.
> 
> This is pretty serious.
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1185
> http://c-skills.blogspot.com/2009/04/udev-trickery-cve-2009-1185-and-cve.html
> http://xorl.wordpress.com/2009/04/17/cve-2009-1185-linux-udev-path-encoding/

I'll look into that. Thanks!

> 
> And for Mike,
> 
> LFS is actually teaching administration, so it has the obligation and
> the duty to teach the user to follow religiously the recommendations as
> far it concerns security problems; in fact I would like to use the
> *preach* expression instead of teach, to emphasize how the administrator
> should take seriously the security domain.

Umm, while I agree in principle with taking things like this
seriously, an important part of administration is knowing not
only what vulnerabilities there are, but what one's own exposure
may be. So, simply issuing serious warnings and recommending all
to upgrade doesn't give the full story.

> So while the individual can choose, by looking to the security reports,
> not to fix the vulnerabilities in her machine, in LFS we have *no* other
> choice than to report them and publish fixes (if available), no matter how
> critical they are. We are talking here about practices.

No argument here about publishing, and I appreciate it. I'm not
convinced that best practice is always to accept security updates
immediately, or even ever (necessarily). I've seen security
updates retracted.

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!



More information about the lfs-support mailing list