Urgent Kernel Patch for Ubuntu

Linux is engineered with security in mind. In fact, the most fundamental security mechanisms are built right in to the kernel itself, which makes it extremely hard for malicious code to bypass. Unfortunately, attackers always are looking for ways to break down security walls, and engineers constantly are patching security weaknesses.

Security holes often are caused by small bugs within the kernel. These can be exploited and used to execute code without the normal protection. When a serious hole is discovered, it's important to get a fix out as soon as possible. Unfortunately, rushed fixes sometimes cause problems of their own, such as the fix released by Canonical earlier this week.

Canonical discovered a security hole in the Linux kernel on May 4, 2014. The hole made it possible for programs to gain administrator privileges, opening the door to a number of serious exploits.

However, Canonical's new patch caused regressions in Ubuntu versions 14.10 and 14.04. A regression is a type of bug where previously working code becomes defective. In this case, the bugs were unrelated to the area of the kernel that had been repaired, they just managed to "creep in" to the release. These bugs are related to the auditing of some path names. This made the system unstable and could cause occasional crashes.

Canonical quickly repaired these issues and released a new update May 8, 2015.

The original problem was caused by a race condition in the kernel between two system calls. By exploiting this race condition, malicious code would be able to increase its privileges to admin level. Admin access allows a program to make sweeping changes to files and settings for the entire operating system. This is an extremely severe security risk, as malicious code can bypass the normal security barriers that safeguard the operating system.

Canonical's patch has been pushed to the upstream kernel, so it should be available to other distros that use the same kernel version.

The regressions were specific to the two versions of Ubuntu noted above. They are now repaired, and the correct patch will be installed for users who update their system as of now. For users who haven't applied these patches, it's essential to do so immediately. The patches can be applied through the "Software Updater" app.

There is one last wrinkle. In patching the security hole, Canonical has had to change the kernel's ABI. The ABI is the binary interface between different modules of the kernel. The result of this change is that custom modules no longer will work with the patched kernel unless they are recompiled or updated through the package manager.

Kernel modules cover functionality, such as device drivers and filesystem drivers. If you notice any instability with your display or other devices, you should update the affected modules manually. If the updates are not available through APT, you may need to recompile the modules from source.

Resources

Load Disqus comments