Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Polls on the front page of Slashdot? Is the world coming to an end?! Nope; read more about it. ×
User Journal

Journal: I am NOT anonymous

Journal by Mathinker


% echo -n "I am Mathinker, my salt is UAeqTvlu" | md5sum
efb98ed34ba58ecd29b07b1909d21da3 -

User Journal

Journal: 2008: Linux privilege escalation bugs

Journal by Mathinker

Just want to store this research somewhere where I can link to it easily. (Original post).

If one analyzes the 10 Linux privilege escalation bugs reported for 2008 at Secunia one finds:

Of those, 5 were in proprietary software packages for Linux: Acrobat Reader, MaxDB, Avaya, SSH Tectia Client, and Red Hat Enterprise Linux. Not interesting for ordinary desktop users.

Of the other 5, 1 was in KDE, so that wouldn't affect 100% of Linux users, let's be generous (the most popular free distros use Gnome) and say that's 50% of users.

Of the other 4, 1 seems to work on general Linux systems (sys_remap_file_pages() bug).

Of the other 3, 1 requires the USBLCD driver to be used or only gives group privilege escalation, 1 requires Intel G33 series or newer chipset, and 1 requires that the kernel is running as VMI guest on a x86 system. How many boxes does that cover? Not many, except perhaps for the Intel chipsets --- let's say another 50% (because I have no idea what market share Intel has).

So that's something like 2, maybe 2.5 bugs in all of 2008. Is that "many"? Matter of opinion.

So, in summary, between 10% and 25% of the reported bugs were really mainstream.

Never let someone who says it cannot be done interrupt the person who is doing it.