Please create an account to participate in the Slashdot moderation system


Forgot your password?
User Journal

Journal Journal: 2008: Linux privilege escalation bugs

Just want to store this research somewhere where I can link to it easily. (Original post).

If one analyzes the 10 Linux privilege escalation bugs reported for 2008 at Secunia one finds:

Of those, 5 were in proprietary software packages for Linux: Acrobat Reader, MaxDB, Avaya, SSH Tectia Client, and Red Hat Enterprise Linux. Not interesting for ordinary desktop users.

Of the other 5, 1 was in KDE, so that wouldn't affect 100% of Linux users, let's be generous (the most popular free distros use Gnome) and say that's 50% of users.

Of the other 4, 1 seems to work on general Linux systems (sys_remap_file_pages() bug).

Of the other 3, 1 requires the USBLCD driver to be used or only gives group privilege escalation, 1 requires Intel G33 series or newer chipset, and 1 requires that the kernel is running as VMI guest on a x86 system. How many boxes does that cover? Not many, except perhaps for the Intel chipsets --- let's say another 50% (because I have no idea what market share Intel has).

So that's something like 2, maybe 2.5 bugs in all of 2008. Is that "many"? Matter of opinion.

So, in summary, between 10% and 25% of the reported bugs were really mainstream.

The program isn't debugged until the last user is dead.