November 06, 2009, 2:43 PM — Most of the time you can go for months, years, without patching your Linux distribution and not be in any real danger. A recently uncovered security hole in the Linux kernel does deserve your attention.
Specifically, Earl Chew, a Linux developer, and, at about the same time, Brad Spengler, creator of the Linux security program Grsecurity, discovered that there was a possible null pointer error that could, in theory, enable non-root users grab administrator privileges. You don't want that to happen.
This particular bug, known in developer circles as CVE-2009-3547, hits all modern versions of the Linux 2.6 kernel It's been fixed in the upcoming 2.6.32 RC (release candidate), but unless you're running on Linux's bleeding edge, you're not running that version of the kernel.
So chances are you might have this problem. I say might because for this security hole to be open the value to the mmap_min_addr pointer has to be zero. If it's not, you're safe.
Most distributions give this pointer a value. But, there are claims that to enable Wine, the popular program that lets you run Windows programs on Linux, its value must be set to zero. That's not true though. On my own Linux systems, I often run Wine, and its commercial big brother, CrossOver Linux, and on my PCs, mmap_min_addr is not set to zero.
That aside, there are some Linux distributions, such as Red Hat Enterprise Linux and Novell's SUSE Linux where the pointer is set by default to zero, which makes them vulnerable to attack. In Red Hat's case, the fix is already available. With SUSE, the permanent patch, as of November 6th, is still on its way.
That doesn't mean, however, you have to sit and wait for your upstream provider to come up with a fix. You can reset the pointer yourself while holding out for the permanent fix.
To see if you need to bother, head over to a shell and run the following command:
cat /proc/sys/vm/mmap_min_addr
If this gives you a zero or no value, then you're potentially vulnerable. If it gives you any other number, life is good and you don't need to worry with it.
But, if the news is bad, just run this command:
sysctl -w vm.mmap_min_addr="1024"
Or, you can use any other numeric value up to 65535 and your system will be safe until it's rebooted again.
There are ways to permanently set it to a new value, but since, like most Linux users, I tend to re-boot my systems once every blue moon, I'm not going to bother with these.
The way I figure it, all the Linux vendors will have this hole patched long, long before I reboot my systems again. Your usage may vary.
In any case, if you're running Red Hat, patch now. If you're running a Red Hat variant, like CentOS or Oracle Unbreakable Linux or a SUSE Linux, you'll want to run the sysctl fix. Debian and Ubuntu users seem to be safe, but if you want to make doubly sure, just run the cat command and you'll know for sure.
