udev: Multiple vulnerabilities

udev: Multiple vulnerabilities Two errors in udev allow for a local root compromise and a Denial of Service. udev 2009-04-18 2009-04-18 266290 local 124-r2 124-r2

udev is the device manager used in the Linux 2.6 kernel series.

Sebastian Krahmer of SUSE discovered the following two vulnerabilities:

udev does not verify the origin of NETLINK messages properly (CVE-2009-1185).
A buffer overflow exists in the util_path_encode() function in lib/libudev-util.c (CVE-2009-1186).

A local attacker could gain root privileges by sending specially crafted NETLINK messages to udev or cause a Denial of Service.

There is no known workaround at this time.

All udev users should upgrade to the latest version:


    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sys-fs/udev-124-r2"

CVE-2009-1185 CVE-2009-1186 a3li a3li a3li