“A longstanding bug in the Linux kernel—quite possibly
since the first 2.6 release in 2003—has been fixed by a
recent patch, but the nearly two-month delay between the report and
the fix is raising some eyebrows. It is a local privilege
escalation flaw that can be triggered by malicious X clients
forcing the server to overrun its stack.“The problem was discovered by Rafal Wojtczuk of Invisible
Things Lab (ITL) while working on Qubes OS, ITL’s
virtualization-based, security-focused operating system. ITL’s CEO
Joanna Rutkowska describes the flaw on the company’s blog and
Wojtczuk released a paper [PDF] on August 17 with lots more
details. In that paper, he notes that he reported the problem to
the X.org security team on June 17, and by June 20 the team had
determined that it should be fixed in the kernel. But it took until
August 13 before that actually happened.“In addition, the description in the patch isn’t terribly
forthcoming about the security implications of the bug. That is in
keeping with Linus Torvalds’s policy of disclosing security bugs
via code, but not in the commit message, because he feels that may
help “script kiddies” easily exploit the flaw. There have been
endless arguments about that policy on linux-kernel, here at LWN,
and elsewhere, but Torvalds is quite adamant about his stance.
While some are calling it a “silent” security fix—and to some
extent it is—it really should not come as much of a
surprise.”
Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.
LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.