Announcement

Collapse
No announcement yet.

Ubuntu dirtyc0w vulnerability

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Ubuntu dirtyc0w vulnerability

    It's a bug that has been around since 2005. Linus first fixed it then but regressed it for s390 incompatibility reasons, It appeared again when folks recently noticed problems with Android kernels. For Ubuntu, RedHat and most other users the patch has been applied and posted to repositories.

    http://news.softpedia.com/news/canon...s-509507.shtml

    Ubuntu users urged to patch their systems immediately Canonical urged all users to patch their systems immediately by installing
    linux-image-4.8.0-26 (4.8.0-26.28) for Ubuntu 16.10,
    linux-image-4.4.0-45 (4.4.0-45.66) for Ubuntu 16.04 LTS,
    linux-image-3.13.0-100 (3.13.0-100.147) for Ubuntu 14.04 LTS, and
    linux-image-3.2.0-113 (3.2.0-113.155) for Ubuntu 12.04 LTS, as well as
    linux-image-4.4.0-1029-raspi2 (4.4.0-1029.36) for Ubuntu 16.04 LTS for Raspberry Pi 2.


    The Xenial HWE kernel for Ubuntu 14.04 LTS was updated as well today, to version
    linux-image-4.4.0-45 (4.4.0-45.66~14.04.1), and the
    Trusty HWE kernel for Ubuntu 12.04 LTS to version linux-image-3.13.0-100 (3.13.0-100.147~precise1).

    Please update your Ubuntu installations immediately by following the instructions provided by Canonical at https://wiki.ubuntu.com/Security/Upgrades.

    http://people.canonical.com/~ubuntu-...2016-5195.html
    Code:
    Patches:
    Package
    Source: linux (LP Ubuntu Debian)
    Upstream:                               released (4.9~rc2)
    Ubuntu 12.04 LTS (Precise Pangolin):    released (3.2.0-113.155)
    Ubuntu 14.04 LTS (Trusty Tahr):         released (3.13.0-100.147)
    Ubuntu Touch 15.04:                     DNE
    Ubuntu Core 15.04:                       pending (3.19.0-73.81)
    [B]Ubuntu 16.04 LTS (Xenial Xerus):         released (4.4.0-45.66)[/B]
    Ubuntu 16.10 (Yakkety Yak):             released (4.8.0-26.28)
    Ubuntu 17.04 (Zesty Zapus):              needs-triage
    For those wanting to do a live patch of their kernel the method is here. (If you have to ask questions then you shouldn't be attempting this method). For the rest of us mere mortals the proper application is the standard

    sudo apt update
    sudo apt dist-upgrade

    if you haven't already done it. I noticed an update yesterday or the day before that included snapd, and brought my kernel up to
    Code:
    :~$ uname -mrs
    Linux 4.4.0-46-generic x86_64
    Rasberry and Snapdragon 16.04 LTS kernels are also patched.

    The Ubuntu Kernel Support schedule is here.
    Last edited by GreyGeek; Oct 24, 2016, 09:10 PM.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    #2
    Do you have backports enabled? Im all up-to-date but have Linux 4.4.0-45-generic x86_64.

    Comment


      #3
      Originally posted by whatthefunk View Post
      Do you have backports enabled? Im all up-to-date but have Linux 4.4.0-45-generic x86_64.
      You have the version with the fix for the CVE then.

      The -46 version GreyGeek mentions is a later update that is currently in 'proposed' for the main archive, or in the Canonical kernel team's ppas.
      On #kubuntu-devel & #kubuntu on libera.chat - IRC Nick: RikMills - Launchpad ID: click

      Comment


        #4
        Originally posted by whatthefunk View Post
        Do you have backports enabled? Im all up-to-date but have Linux 4.4.0-45-generic x86_64.
        No, I have the repository that was setup during the install. Here is my update history:
        Click image for larger version

Name:	Screenshot_20161025_112232.png
Views:	1
Size:	121.5 KB
ID:	643356

        You can see the version updates and the date they occurred. I was updated to the 4.4.0-46.49 update on the 21st.
        As archeron said, the Ubuntu security cve gives the patched kernel as
        linux-image-4.4.0-45 (4.4.0-45.66) for Ubuntu 16.04 LTS,
        which is what you have. I was updated to that kernel on the 20th. The bug was announced on the 19th. Pretty fast patch!

        The real losers in all of this are the Android users. According to agreements Android makers were forced to make with Microsoft to avoid extortion by lawsuits using the bogus "5 DOS IP violations", they are not allowed to update or upgrade the Android versions originally installed on their phones, and they have to pay Microsoft a fee per phone sold. Microsoft made more money on Android phones than they made trying to sell their Windows Phones Only those android users smart enough to jailbreak their phones and apply the live kernel patch will be secured. Most smartphone (and computer users) being completely lo-info clueless users blame Google for not updating the android phones when newer version of Android are released or patches are applied.

        Meanwhile, Google, the "do no evil" company that forgot its mantra, is busily trying to combine the Android OS with Chrome OS to bring Android to the laptop/desktop. Oh Joy!
        Last edited by GreyGeek; Oct 25, 2016, 10:57 AM.
        "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
        – John F. Kennedy, February 26, 1962.

        Comment


          #5
          About Android: most Android phones get updates. Mine got two OS updates before my provider gave up on it. The phone maker continues to offer upgrades to the newest version. I dont know about the agreement with Microsoft, but at least from my experience the problem with Android updates is providers. If a provider offers 10 Android phones with 10 slightly different varieties of Android, there is no way for them to keep up with updates. Just my observation.

          Comment


            #6
            From 2011:

            https://blogs.technet.microsoft.com/...nsing-program/

            Today, Microsoft announced its tenth license agreement providing coverage under our patent portfolio for Android mobile phones and tablets. Today’s agreement is with Compal, one of the world’s largest Original Design Manufacturers, or ODMs. Compal is based in Taiwan, where it produces smartphones and tablet computers for third parties, and has revenue of roughly $28 billion per year.

            Today’s announcement marks Microsoft’s ninth Android agreement in the last four months. More important, today’s announcement means that companies accounting for more than half of all Android devices have now entered into patent license agreements with Microsoft.
            ...
            Microsoft now has license agreements in place with OEMs that account for 53 percent of all Android smartphones in the United States.
            The basic patent weapon? The FAT patent!

            Google may not charge for Android but Microsoft by way of its patent lawsuits is charging HTC and a few other phone makers $10per phone that uses Android.

            Two years later, the number jumps from 11 to 21 agreements:
            http://www.fosspatents.com/2013/04/j...n-foxconn.html
            Microsoft has announced on its corporate blog a license agreement with ZTE covering Android and Chrome devices. Numerous device makers (including Samsung, HTC, LG and Acer) as well as contract manufacturers have previously taken such a license from Microsoft. Reuters just reported on this agreement and mentions that ZTE "has agreed to pay Microsoft Corp a royalty for devices it makes using Google Inc's Android and Chrome operating systems"
            This was just corporate bullying with Microsoft using its big bucks muscle to threaten small fry. For them it was cheaper to pay what most observers perceived as extortion than to fight in court, which always has a risky outcome.

            In 2013 alone Samsung paid over $1 Billion to Microsoft in Android licensing fees alone.
            http://www.theverge.com/2014/10/4/69...lion-royalties
            and Samsung got tired of the strong arm and refused to pay after Microsoft torpedoed Nioka.

            By 2016 Microsoft apparently is trying a new approach. Signing up Android makers to sell WinPhones by charging them less than their Android license fees. Just a guess but what else would provoke normally business savvy people to jump onto WInphone which has sold only 110 million devices since it was first released, while iOS and Android are on 4.5 BILLION units world wide.
            http://www.businessinsider.com/micro...-office-2016-2

            However, their Android gravy train may be coming to and end. The peasants are fighting back. Barnes & Nobel was the first to fight Microsoft, as detailed in GrokLaw report.


            A lot of the smartphone patent wars are documented on Wikipedia, and some are still a work in progress.
            "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
            – John F. Kennedy, February 26, 1962.

            Comment


              #7
              What is needed is a LOT MORE ethical hackers. Consider just the tools of Knoppix. Consider Kali Linux, but if you cannot get past the login screen maybe you should consider at least donating some money, and I KNOW which of you made it past the login, PLEASE do not offer help!...hmm why did I say that? If you did then you won't! lol sorry.....

              Maybe just download an old copy of Midnight Commander.

              Boots on the ground are desperately needed!

              woodsmoke

              Comment

              Working...
              X