Weblog Navigation

First Previous Index Next Last

Bug in Udev Security Patch

Tuesday, July 21st, 2009

The patch for this security hole in udev breaks the hotplug system on Slackware 10.2. The patch was released on April 20th of this year; I hadn't noticed a problem until now because the bug doesn't manifest until reboot. Fortunately, two of the servers I manage both went down due to unrelated power outages within 24 hours of each other, so I was able to quickly figure it out.

While booting, a Slackware 10.2 system will normally display this message:
Activating hardware detection: /etc/rc.d/rc.hotplug start
A system affected by this bug will stop there, going no further.

Ctrl-Alt-Del still works, and you can disable the hotplug system by giving nohotplug as a kernel option in LILO. Then all you need to do is run upgradepkg on the original udev package (not the patch), reboot normally, and everything should be fine. Except, of course, for the now-unpatched security hole that enables local users to gain root privileges (and when I say “local” of course I mean any unpatched PHP-based bulletin board system or whatever you might be running).

I don't know what other Slackware versions besides 10.2 might also be affected. 12.0 and later seem to be OK, and 10.1 and earlier didn't get this patch (perhaps udev-050 isn't affected by the hole), but I haven't tested 11.0 yet. Interestingly, Slackware 10.2 and 11.0 aren't supposed to use udev by default, since they normally use a 2.4 kernel (udev was included so you could run a 2.6 kernel if you wanted to).

I have reported the issue to Slackware.


Weblog Navigation

First Previous Index Next Last