Announcement

Collapse
No announcement yet.

KASAN Spots Another Kernel Vulnerability From Early Linux 2.6 Through 4.20

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • KASAN Spots Another Kernel Vulnerability From Early Linux 2.6 Through 4.20

    Phoronix: KASAN Spots Another Kernel Vulnerability From Early Linux 2.6 Through 4.20

    The Kernel Address Sanitizer (KASAN) that detects dynamic memory errors within the Linux kernel code has just picked up another win with uncovering a use-after-free vulnerability that's been around since the early Linux 2.6 kernels...

    http://www.phoronix.com/scan.php?pag...-CVE-2019-8912

  • #2
    While obviously a vulnerability isn't good, it is nice to see that kernel testing is finding these things.

    Comment


    • #3
      If it has been there since 2.6.x, why hasn't it been spotted until now? It's not like Kasan is a brand new tool.

      Comment


      • #4
        well that socks

        Comment


        • #5
          So Huawei are making us more secure? What crazy times we live in

          Comment


          • #6
            Isn't the news or the American government pushing the story that "Huawei are evil!!!!" right now?

            Meanwhile... Huawei have just found and reported a serious Linux vulnerability. Thanks guys

            Comment


            • #7
              Originally posted by cybertraveler View Post
              Isn't the news or the American government pushing the story that "Huawei are evil!!!!" right now?

              Meanwhile... Huawei have just found and reported a serious Linux vulnerability. Thanks guys
              The same in the UK, "we can't trust them, they are an arm of the chinese state" etc etc. Our governments aren't pissed about the possibility of backdoors in their hardware, they are pissed because Huawei won't put backdoors in for western agencies. Ironically I think the Chinese state are really interested in the commercial success of their technology companies and this probably makes them think twice about jeopardising their efforts with security holes. They even do capitalism better than us jeez that's embarrassing

              Of course on the other hand maybe Huawei are just getting rid of all their dirty laundry now and publicly outing their exploits before someone else does
              Last edited by Murple; 02-20-2019, 05:39 PM.

              Comment


              • #8
                Speculating conspiracies will lead us nowhere, it could be a decoy, it could be actual good faith, it could be one branch doing something the other does no know, it could even be counter espionage by revealing a vulnerability they were exploring when they noticed someone else else using it.

                What this kind of discussion does prove is that we should really be more concerned about two things, open and verifiable systems on one hand, and actually verifying them on the other.

                Even regarding normal performance benchmarks we are lacking, case in point all the regressions Michael here has been spotting as we see often on his benchmarks.

                Comment


                • #9
                  You're right it could be many things, but speculating wildly is kinda enjoyable so don't take that away from me!

                  The rest of your points are spot on tho

                  Comment


                  • #10
                    Originally posted by cybertraveler View Post
                    Isn't the news or the American government pushing the story that "Huawei are evil!!!!" right now?

                    Meanwhile... Huawei have just found and reported a serious Linux vulnerability. Thanks guys
                    You're very trusting. I wonder if they might've previously known about it and are just now publicizing these exploits. Or, perhaps they launched an initiative to find such bugs in other products to help their own reputation.

                    We don't know what we don't know. No matter what Huawei says or does, I wouldn't entrust critical infrastructure to state-owned tech companies. In fact, no matter who builds it, I think the hardware and software sources should be kept in escrow, if not entirely open source.

                    Comment

                    Working...
                    X