By Robert Lemos, 17 June 2004 08:55
NEWS Linux users have been urged to fix a flaw in the core component of the open-source operating system, following the public release of code that could be used to crash Linux systems.
The flaw, found by two software programmers, could give a user with access to a Linux system the ability to crash the system using two dozen lines of code written in the C programming language, said an advisory posted over the weekend on linuxreviews.
"Assume your kernel is [vulnerable] unless you have good reason to believe it is safe," Oyvind Saether, one of the discoverers of the flaw, said in the advisory.
The program, dubbed "evil.c", causes problems with the code sent to the floating-point unit, the part of the processor that handles noninteger calculations, according to a note in a source code patch published by Linux founder Linus Torvalds.
The open-source Linux operating system has fallen prey to its share of flaws and attacks this year. Several flaws were found in the Concurrent Versions System, CVS, a commonly used application for managing open-source code under development. In March and April, online attackers targeted Linux and Solaris systems at many academic high-performance computing centres.
Researchers also found flaws in the OpenSSL software used by many Linux distributions to enable secure Internet communications.
On Monday, staffers associated with Red Hat's community-based distribution, Fedora, released an update to Fedora Core 2, to fix the latest problem. The kernel patch has also been included in the latest release candidate of the Linux kernel, 2.6.7-RC3, which is expected to be released soon.
Other distributions of Linux should be fixed this week as well.
Robert Lemos writes for News.com
Comments
There are 5 comments. Join the discussion
1. anonymous
How can you be so sloppy in what you publish here? The bug that is referred to is fixed long ago. What is wrong with you people at silicon.com? When publishing bugs in Linux kernel beare in mind that those are fixed fast. Very fast - to the contrary of some other software.
2. anonymous
Not remote-exploitable.
It's worth mentioning that this bug can only bring down a system if someone is able to execute the exploit code. They need to have a shell account or at least FTP access to somewhere they can install and run cgi-bins. Even then it kills the system one CPU at a time, so on an SMP system there will be evidence of who did it.
It doesn't let people in from the network; it doesn't allow the machine to be hijacked for malicious purposes. It's not going to cause a worm outbreak or DOS attacks, and it doesn't allow any data to be compromised.
And it's been fixed.
It's not good, but it's not a disaster.
3. Craig
If 'it's fair share of flaws' means 'considerably fewer flaws than anyone else', then I totally agree.
4. anonymous
how long would it of took microsoft to fix this problem??
weeks or months, at least there was a solution to the problem available almost imidiatley
5. Goten Xiao
Isn't it strange how the number of Microsoft patches is almost (if not already) up in the MILLIONS range, but as soon as a single Linux flaw comes out it's hyped up as making Linux as insecure as Windows?
At least the makers of Linux don't leave several user accounts on your system, as well has half a dozen backdoors and various tracing programs. Not to mention bad filesystem security in the Home version of XP.
MS is like an ego-ridden guy; all bark but no bite. They keep claiming that their OS is *more* secure than Linux, but, to be perfectly honest, the number of flaws released that have contraried this is ridiculous.