Patches ready for Red Hat, Ubuntu and others affected by Linux kernel flaw

Patches ready for Red Hat, Ubuntu and others affected by Linux kernel flaw

Summary: Linux admins should start patching a newly discovered flaw affecting a component of the kernel.

SHARE:
TOPICS: Security
44

Patches are in the works for several Linux distributions affected by a newly-discovered flaw in the Linux kernel that could let a local user crash or run programs as an administrator.

Admins running Ubuntu, some Red Hat systems, Debian, and other distros are advised to patch a moderately serious memory corruption flaw affecting the n_tty_write function in the Linux kernel up to 3.14.3.

According to US CERT writeup for CVE-2014-0196 bug, the "n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings."

In UNIX/Linux parlance, TTY, derived from Teletype, refers to the command line interface terminal.

A discussion about the bug by a Novell Suse security engineer notes the race condition occurs in a feature introduced in 2009 that changed how "pty" — a pseudo tty — handled write buffering.

"When two processes/threads write to the same pty, the buffer end could be overwritten and so memory corruption into adjacent buffers could lead to crashes / code execution," the Suse security engineer wrote. 

As noted by Ars Technica, although only a local user can exploit the bug, that condition still may pose a risk for affected systems in shared sever environments.

Red Hat is working on corrected kernel packages for Red Hat Enterprise Linux (RHEL) 6 and Red Hat Enterprise MRG 2 but has said that RHEL 5 is not affected. Debian has details about its available fixes here, while Ubuntu has released details about its patches here.

Topic: Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

44 comments
Log in or register to join the discussion
  • Patches ready for Red Hat, Ubuntu and others affected by Linux kernel flaw

    Gentlemen, start your compilers! Always the same thing with linux, patch after patch after patch to fix the patch. Linux requires more maintenance than any other OS, so much so that its not worth the hassle to even run it. If linux had a decent code development program and code review program they wouldn't be in this situation.
    Loverock.Davidson
    • No compiling needed, idiot.

      Just apply a patch.

      The rest of your post is also crap - Linux has a better review program than any other operating system.

      Which is why it has fewer bugs per unit of code.
      jessepollard
      • "Linux"?

        Last time I checked, wasn't Linux a kernel, and not an operating system?

        Besides, can you cite your sources about its review program?
        ForeverCookie
        • Wrong.

          To educate yourself, review facts here:
          http://en.wikipedia.org/wiki/Linux
          http://en.wikipedia.org/wiki/Linux_distribution

          Re. review program, read:
          http://en.wikipedia.org/wiki/Linux_kernel which includes:

          "The Linux kernel is released under the GNU General Public License version 2 (GPLv2)[6], ...and is developed by contributors worldwide. Day-to-day development discussions take place on the Linux kernel mailing list."

          p.s. - Those "other OS" also have kernels.
          KnowBuddy3
          • Shouldn't have bothered

            These aren't even very cute trolls.
            John L. Ries
          • Strickly speaking HE IS

            right.

            Linux is a kernel not an operating system, if you don't believe me, ask Stallman :)
            sjaak328
        • re; Linux?

          "Linux means different things to different people, from the purist who considers it to be the kernel to the GNU advocate who see it as a part of GNU/Linux. Linux is all of these, depending on your point of view." -Neil Bothwick

          Sorry Richard, we can't be bothered to say “GNU slash” every time. -Neil Bothwick
          daikon
      • Fewer bugs per unit of code?

        So you've looked inside all of the major OS's?

        Yeah, I didn't think you did either, but I knew you wouldn't say that.
        William.Farrel
        • re; Fewer bugs per unit of code?

          Coverity finds open source software quality better than proprietary code

          http://www.zdnet.com/coverity-finds-open-source-software-quality-better-than-proprietary-code-7000028514/
          daikon
          • That's great. Does it claim fewer bugs per unit of code?

            You know, since the source code of proprietary software is open for all to see?
            William.Farrel
          • You will have to read the report

            to determine that.

            “Does it claim fewer bugs per unit of code?”
            daikon
      • Interestingly Enough Reverand Pollard,

        Coverity, the company that made that claim, missed both Heart Bleed and this one - they are a very credible source!

        And yes, the article that held this great tenet was penned by none other than his holiness Pope SJVN

        Flashback: http://www.zdnet.com/coverity-finds-open-source-software-quality-better-than-proprietary-code-7000028514/
        Mujibahr
        • What has ANY of that to do with it?

          Bugs are found by those searching for them.

          You find fewer bugs per unit of open source code.
          jessepollard
    • Yes because the way Microsoft does patches is better.

      I would rather have a patch a day then wait for Microsoft to release a patch that may never come. As far as "decent code development program and code review program", how many times, in the last few months, has Microsoft released a patch only to retract the patch because of the problems that were caused by that patch.
      CPPCrispy
      • What does Microsoft have to do with this?

        No one mentioned Microsoft and there is no reason to bring them into this post. Talk about envy, sheesh.
        Loverock.Davidson
        • you did...

          with the words 'any other OS'
          BitBanger_USA
          • Nope

            Please try again.
            Loverock.Davidson
          • dude, you are a known MS shill slagging Linux

            You carry Microsoft around on your shoulders every time you slag off another OS. Because slagging off non MS stuff is pretty much all you do.

            I tried to find a post where you slagged off Microsoft but I couldn't.. see how transparent you are?
            frankieh
          • Another one with the envy

            Microsoft wasn't mentioned but you guys keep mentioning them. You have nothing but envy for that company.
            Loverock.Davidson
      • But CPPCrispy, haven't I read right here

        of Linux needing patches that haven't come, or came 6 months later after the issue was discovered?
        William.Farrel