[NTLUG:Discuss] Multiple Linux Flaws Reported

[terry]

A friend has called this to my attention:
<http://www.esecurityplanet.com/trends/article.php/3341341>

"Multiple Linux Flaws Reported"
April 16, 2004
By Ryan Naraine

It says, "Security researchers are warning of a buffer overflow security 
flaw in the Linux kernel that can be exploited to lead to privilege 
escalation attacks."

It goes on to say, "The company found that affected versions of Linux 
kernel performed no length checking on symbolic links stored on an 
ISO9660 file system, a problem that allows a malformed CD to perform an 
arbitrary length overflow in kernel memory."

"Symbolic links on ISO9660 file systems are supported by the 'Rock 
Ridge' extension to the standard format. The vulnerability can be 
triggered by performing a directory listing on a maliciously constructed 
ISO file system, or attempting to access a file via a malformed symlink 
on such a file system. Many distributions allow local users to mount 
CDs, which makes them potentially vulnerable to local elevation 
attacks," according to the security alert.

Not sure what to make of it, but do we need to change some permissions 
someplace?  Is this a real problem of some sort?

I don't [fully] understand.

Also:
"Separately, security firm Secunia warned of an information leak and 
denial-of-service  holes in Linux Kernel 2.4.x and 2.6.x. The 
information leak problem was discovered with the ext3, XFS, and JFS file 
system code and can lead to the exposure of data like cryptographic keys 
to malicious attackers.

Another error was found within the OSS code for SoundBlaster 16 devices 
that could be used to trigger denial-of-service attacks with odd numbers 
of output bytes are submitted."