Frederik Dannemare <[EMAIL PROTECTED]> wrote:
> just curious: any particular reason why we didn't see a backport any sooner
> of
> the integer overflow in the brk system call (see recent announcement by
> Wichert Akkerman:
> http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00212.html)
>
> like we did with the ptrace issue some time back?
> Wasn't it (the brk vuln) considered to be threatening enough to justify a
> quick fix, or was it because the fix by Andrew Morton didn't say (kerne
> changelog) enough about the potential seriousness of the vuln, or?
Apparently nobody knew it was comparable to ptrace, it looked like a
simple bugfix and not like a local root exploit.
| Robert van der Meulen managed to decrypt the binary which revealed
| a kernel exploit.
cu andreas
