With today's release of Linux kernel version 2.2.25, Alan Cox announced a vulnerability in the ptrace() system call that affects both the 2.2 and 2.4 stable kernels. The earlier 2.2.24 kernel was released a couple of weeks ago, with today's 2.2.25 release adding only the fix for this ptrace vulnerability. Alan explains:
"The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole allows local users to obtain full privileges. Remote exploitation of this hole is not possible. Linux 2.5 is not believed to be vulnerable."
When asked whether or not a new 2.4 kernel would be forthcoming as well, Alan suggested, "If you build your own kernels apply the patch, if you use vendor kernels then you can expect vendor kernel updates to appear or have already appeared". Read on for Alan's complete announcement, as well as a patch that fixes the problem in the 2.4 kernel.