fixed in v18.104.22.168
Posted Sep 25, 2009 7:10 UTC (Fri) by mingo
In reply to: fixed in v22.214.171.124
Parent article: Kernel release status
Agreed, it's a good idea.
Note that the fix for this bug was queued up for 126.96.36.199 before the exploit was posted. (That doesn't of course in any way mitigate the fact that this was an exploitable bug.)
Mr. Spender took the commit log of the fix that others already debugged, created, tested and submitted, and made it easier for script kiddies to vandalize Linux systems by posting an exploit.
As i expressed it earlier, i wish Mr. Spender had more empathy with the project he is trying to contribute to and if he were more mature in not harming it at the same time. Posting an almost-exploit or just saying that it's exploitable is generally enough to get immediate attention - while also avoiding a lot of immediate harm.
Btw., that posting should be immediate and as public as possible, to notify all interested parties [which includes script kiddies and black hats as well] - no matter how embarrassing it might be to the developers and maintainers involved.
Mr. Spender's choice to maximally help script kiddies while trying to maximally harm the people who are actually work on making Linux better (short of him committing a potential felony by launching attacks himself or selling the exploit) certainly qualifies his character - but it's also useful even in this form, no doubt about that.
I'm sure that a parallel or complimentary security effort with real ongoing work injected would be helpful. The sanest approach would be to also notify the -stable maintainers IMHO - the -stable maintainers are very responsive in general.
to post comments)