Linux's NEW 8 year old privilege escalation bug

There is so many talking about Linux, it comes really often in conversations, it feels strange .
Focus on BSD world instead, it could be better for the community and in the end it sends out more positive energy ;)
 
  • Like
Reactions: _al
Having read those articles I ask myself why people are so eager consuming such headlines?

There were little numbers given and interpretations are questionable. What is wanted are your clicks and data left on such sites. Doomsday phrases do sell.

If you got a “feeling” that a project is stalling, look at the source repos and try to extract committer metadata over the time. With the data you can plot nice graphs over time visualizing personnel fluctuations. It would take me wonder if the FreeBSD Foundation would not have the whole picture of actual trends. But I’m not seeing any detailed statistics published.

Microsoft as the owner of Github does frequent analysis on any public repos they do host. They know who might be a good catch for their own staff.
 
richardtoohey2 said:
Sadly nothing is perfect - this is a six-year old one from FreeBSD, versions 11 onwards:


There was a good web page explaining how it worked but it doesn't seem to be responding right now. A local user could escalate themselves to root without too much effort; just like the Linux issue.

Whatever you use - keep patching.
Click to expand...
My guess, you mean this article: https://accessvector.net/2022/freebsd-aio-lpe

Looks like it back to life. :)
 
  • Thanks
Reactions: _al
CuatroTorres said:
www.csoonline.com

Are the BSDs dying? Some security researchers think so

To few eyeballs on code is a security issue. Can FreeBSD, OpenBSD, and NetBSD survive?
www.csoonline.com www.csoonline.com
Is this a personal appreciation or a truth?
I think even professionals look after number one.
Click to expand...
There is no suggestion from van Sprundel that any of the 'BSDs are "dying". The other "security researcher" merely states an opinion. Plenty of "security researchers" also have very negative opinions of Linux and other OS.

No idea why this one gets dragged out over and over again... despite the research being perfectly valid and bugs being found and fixed, the conclusions drawn are sensationalist and bordering on ridiculous. According to certain quarters of the tech press, the BSDs have probably been dying since 1995 due to "lack of developers". Despite such claims, active development continues. Click bait crap.
 
cynwulf said:
the BSDs have probably been dying since 1995 due to "lack of developers". Despite such claims, active development continues.
Click to expand...
It was "dying" when I first started with FreeBSD some 25 years ago. Yet here we are, still kicking and screaming.

richardtoohey2 said:
Sadly nothing is perfect - this is a six-year old one from FreeBSD, versions 11 onwards:

https://www.freebsd.org/security/advisories/FreeBSD-SA-22:10.aio.asc
Click to expand...
Yeah, how about this one?
marcbalmer.ch

When seekdir() Won’t Seek to the Right Position

Back in 2008, I discovered a bug in the BSD filesystem that has been there for more than 25 years, in all of the major BSDs, read the…
marcbalmer.ch marcbalmer.ch
 
Good thing this is in the 'Off-Topic' section...

Unresolved bugs this old are exactly why I roll my eyes at 'Debugging Bootcamps'. Just a quick Google search on that term turned up stuff like a $4200 camp in Atlanta, GA... Even if a bug is properly defined, there's plenty of bugs a debugger won't catch. Calling the wrong API, graceful handling of errors, using incorrect formula, and whatnot.

Don't get me wrong, there are benefits to learning how to use a debugger. It's just that sometimes, to really fix a bug/design flaw/mistake/whatever, you gotta redo the whole enchilada from ground up.
 
baaz said:
securityaffairs.co

8-year-old Linux Kernel flaw DirtyCred is nasty as Dirty Pipe

Researchers shared details of an eight-year-old flaw dubbed DirtyCred, defined as nasty as Dirty Pipe, in the Linux kernel.
securityaffairs.co securityaffairs.co

With every one of these Iam more and more happy that lam useing BSDs and more scared of my android phone.
Click to expand...
/me yawns...

I am pretty sure that a well experienced security researcher is able to find some bugs at least that old as well in any of the BSD's kernels, may it be FreeBSD, NetBSD or OpenBSD.
 
It is not the case but I still use telnet if I want to look at the line noise values of my home router. telnet 192.168.0.1
 
kpedersen said:
But Android is absolute trash and happens to have many more bugs than both combined (by design).
Click to expand...
That is a very interesting statement. Do you have any evidence to back it up? In particular the "by design" part?

astyle said:
Unresolved bugs this old are exactly why I roll my eyes at 'Debugging Bootcamps'. ...
Click to expand...
Note that the OP is not an 8-year old bug. It is an 8-year old vulnerability, which was only found in 2022. So it is a weeks- or months-old bug.
 
ralphbsz said:
That is a very interesting statement. Do you have any evidence to back it up? In particular the "by design" part?
Click to expand...
Not fantastic evidence (I try to stay away from this naff consumer-heavy stuff as much as possible after all!). However, some papers and examples as to why they are relevant:
  • Planned obsolescence (i.e Too locked down. You are prevented from applying security updates to your own device when the manufacturer drops support. IoT and Phones both running Android exhibit the same issues)
  • Purposefully naive permissions system (i.e To run a note taking app, you are required to allow it full access to your camera, emails, mic arbitrarily. It should be no-permission by default unless the user manually changes the *necessary* ones. However this current default is for the vendor to harvest as much data as possible)
  • Lack of user control / access (i.e Too locked down. You don't have the necessary permissions to audit your own device, often you can't install a proper trusted firewall, often you can't even install an ad-blocker, etc)
It basically stems from the underlying business case for these devices to take as much control away from the user as possible which means that you can't properly maintain it. The business case is the same as with games consoles. By design locking it down to protect the publishers / partners / content owners (i.e DRM) more so than the users. Some general discussion here.

Imagine being given a mature 3 years old Windows laptop to use without admin rights to put your credit card details into in order to purchase something. Could you really trust it? It would be a mess of Simpsons mouse cursors. An Android phone is really no different; actually worse. You can't see inside the filesystem / process list on many of them and yet many people input their card details and personal information on a daily basis.

I assume that is why Windows is changing in such the way that people are becoming more and more concerned about its data harvesting. Microsoft is a little late to the data selling party and wants a piece of the pie that Google's Android (and Apple) has made for itself.
 
You must log in or register to reply here.
Back
Top