Flaw pops up in Linux kernel

Linux users have been urged to fix a flaw in the core component of the open-source operating system, following the public release of code that could be used to crash Linux systems.

		Get Up to Speed on... Open source Get the latest headlines and company-specific news in our expanded GUTS section.

The flaw, found by two software programmers, could give a user with access to a Linux system the ability to crash the system using two dozen lines of code written in the C programming language, said an advisory posted over the weekend on linuxreviews.

"Assume your kernel is (vulnerable) unless you have good reason to believe it is safe," Oyvind Saether, one of the discoverers of the flaw, said in the advisory.

The program, dubbed "evil.c," causes problems with the code sent to the floating-point unit, the part of the processor that handles noninteger calculations, according to a note in a source code patch published by Linux founder Linus Torvalds.

Are security companies ahead of hackers?

The open-source Linux operating system has fallen prey to its share of flaws and attacks this year. Several flaws were found in the Concurrent Versions System, CVS, a commonly used application for managing open-source code under development. In March and April, online attackers targeted Linux and Solaris systems at many academic high-performance computing centers.

Researchers also found flaws in the OpenSSL software used by many Linux distributions to enable secure Internet communications.

On Monday, staffers associated with Red Hat's community-based distribution, Fedora, released an update to Fedora Core 2, to fix the latest problem. The kernel patch has also been included in the latest release candidate of the Linux kernel, 2.6.7-RC3, which is expected to be released soon.

Other distributions of Linux should be fixed this week as well.

Andrew Morton, the maintainer of the Linux 2.6 kernel, promised a fix within 48 hours and said the flaw was not very serious.

"Bugs wherein local users can lock the machine up are not uncommon, and local users have always been able to bring a machine to its knees anyway--say, by using up all the memory," he said.

Morton said the discoverers of the flaw didn't give the kernel team any notice before releasing the code to take advantage of the problem--a no-no in the security community.

How Funny

So, the current Linux kernel has a non-serious flaw that requires a person to write and compile C code to directly attack the system. How funny. I locked up Windows XP the other day with a BSOD just by clicking a wrong option for my network card in Control Panel. This article sounds incredibly biased and absolutely not objective whatsoever. The entire purpose and tone of this article is sensationalistic at best. Sure, bugs will be found here and there in almost all software, but 2-3 bugs in most Linux distributions over a period of 6-12 months, all of which were fixed *within hours*, does not warrant such a biased article by anyone. Some OS's contain hundreds of bugs and security flaws which cost the world as a whole hundreds of millions of dollars daily and those bugs and security flaws still haven't been fixed, yet the OS is *still* praised highly in most popular media.

This is my favorite part of the article: "Andrew Morton, the maintainer of the Linux 2.6 kernel, promised a fix within 48 hours and said the flaw was not very serious.

"Bugs wherein local users can lock the machine up are not uncommon, and local users have always been able to bring a machine to its knees anyway--say, by using up all the memory," he said."



Yeah right, I am sure he said that. Plus, I am also sure that he is completely unaware that you can limit a user account including memory resource usage, since he is the maintainer of the 2.6 kernel. Quotes without any real source only smear the publication in which they are written. Publications exactly like this one.

[bd84]

Bugs?

you have bugs any in operating system nothing is perfect and big deal you one bug that COULD BE a problem so what it will be fix within 48 hours if not less. Besides the more bugs that are found, the less bugs that are left....i love open source..

Flaw pops up in Cnet article

"Linux users have been urged to fix a flaw in the core component of the open-source operating system"

Urged by whom? The self-publicists who failed to show the minimum courtesy of advising the kernel maintainers before releasing the code?

So, you get access to a unix command line, compile a few lines of code and with a malicious glint in your eye your run it and manage to halt your machine. Big deal. How hard is it for someone with access to the command line and compiler to cause problems on *any* operating system?

Hmm. As I've not hear of a general problem with the kernel I assume that this is a specially crafted exploit.

That's not to say that you should not patch your kernel in timely fashion so that it is no longer vulnerable, but to imply that it could be deliberately used as an "attack" is ludicrous and unhelpful.

I'm sure that the flaws' reporters don't mind a bit.

Great article

Its good to finally get some objectivity with regard to the Linux operating system. This OS has flaws and so be it!

CVS is NOT THE LINUX KERNEL

The minor flaws were found in the CVS application/server which IS NOT THE LINUX KERNEL.

This is the kind of ignorance that proves that the author has no clue about what he is talking about.

TO THE AUTHOR : Stick to Windows or whatever you do comprehend, but learn what Linux is about before you make yourself look dumb.