A local root kernel vulnerability
Commit 8cae8cd89f05went into the mainline kernel repository on July 19; it puts a limiton the size of buffers allocated in the seq_file mechanism and mentions "intoverflow pitfalls". For more information, look to thisQualys advisory describing the vulnerability:
We discovered a size_t-to-int conversion vulnerability in the Linuxkernel's filesystem layer: by creating, mounting, and deleting adeep directory structure whose total path length exceeds 1GB, anunprivileged local attacker can write the 10-byte string"//deleted" to an offset of exactly -2GB-10B below the beginning ofa vmalloc()ated kernel buffer.
It may not sound like much, but they claim to have written exploits for anumber of Ubuntu, Debian, and Fedora distributions. Updates fromdistributors are already flowing, and this patch has been fast-tracked intotoday's stable kernel updates as well.