Slackware: 2009-230-01: kernel Security Update
Summary
Here are the details from the Slackware 12.2 ChangeLog: patches/packages/linux-2.6.27.31/: Added new kernels and kernel packages for Linux 2.6.27.31 to address a bug in proto_ops structures which could allow a user to use the kernel sendpage operation to execute arbitrary code in page zero. This could allow local users to gain escalated privileges. This flaw was discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 In addition, these kernels change CONFIG_DEFAULT_MMAP_MIN_ADDR kernel config option value to 4096, which should prevent the execution of arbitrary code by future NULL dereference bugs that might be found in the kernel. If you are compiling your own kernel, please check this option in your .config. If it is set to =0, you may wish to edit it to 4096 (or some other value > 0) and then reconfigure, or the kernel will not have default protection against zero page attacks from userspace. (* Security fix *) patches/packages/kernel-mmap_min_addr-4096-noarch-1.tgz: This package adds an init script to edit /etc/sysctl.conf, adding this config option: vm.mmap_min_addr = 4096 This will configure the kernel to disallow mmap() to userspace of any page lower than 4096, preventing privilege escalation by CVE-2009-2692. This is a hot fix package and will take effect immediately upon installation on any system running a kernel that supports configurable /proc/sys/vm/mmap_min_addr (kernel 2.6.23 or newer). (* Security fix *)
Where Find New Packages
HINT: Getting slow download speeds from ftp.slackware.com?
Give slackware.osuosl.org a try. This is another primary FTP site
for Slackware that can be considerably faster than downloading
directly from ftp.slackware.com.
Thanks to the friendly folks at the OSU Open Source Lab
(https://osuosl.org/) for donating additional FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://www.slackware.com/ for
additional mirror sites near you.
Updated kernel packages for Slackware 12.2 may be found here:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/linux-2.6.27.31/kernel-firmware-2.6.27.31-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/linux-2.6.27.31/kernel-generic-2.6.27.31-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/linux-2.6.27.31/kernel-headers-2.6.27.31_smp-x86-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/linux-2.6.27.31/kernel-huge-2.6.27.31-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/linux-2.6.27.31/kernel-huge-smp-2.6.27.31_smp-i686-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/linux-2.6.27.31/kernel-modules-2.6.27.31-i486-1.tgz
Updated kernel packages for Slackware -current may be found here:
Updated kernel packages for Slackware64 -current may be found here:
Hotfix/init script packages to increase mmap_min_addr to 4096:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/kernel-mmap_min_addr-4096-noarch-1.tgz
These packages are the same, and will work with any 2.6.23 or newer kernel.
Signatures:
All packages are signed with the Slackware Security Team GPG signature for
verification of authenticity. File may also be checked with the CHECKSUMS.md5
file provided in each Slackware directory tree, which is also signed with the
Slackware GPG key.
Kernel patches for Linux 2.4.x and Linux 2.6.x:
Kernel patches for CVE-2009-2692 that should apply cleanly to most 2.4
and 2.6 kernel source may be found here:
MD5 Signatures
Installation Instructions
Installation instructions: Upgrade the kernel packages as root, rebuild the initrd with mkinitrd, and reinstall LILO. For details on the process of updating the Slackware 12.2 kernels, see the README file in /patches/packages/linux-2.6.27.31/. To activate the mmap_min_addr protection in your /etc/sysctl.conf for 2.6.23 or newer kernels, simply install the package: installpkg kernel-mmap_min_addr-4096-noarch-1.tgz If you are building your own kernel from unfixed vanilla sources, the patch appropriate for your kernel may be applied to the source like this: cd /usr/src/linux zcat linux-2.6.x-CVE-2009-2692.diff.gz | patch -p1 --verbose