[LEDE-DEV] Stability & release plans -- CVE-2016-5195
alberto.bursi at outlook.it
Sat Oct 29 03:10:18 PDT 2016
On 10/29/2016 03:18 AM, J Mo wrote:
> On 10/28/2016 11:39 AM, yanosz wrote:
>> 1. I'm unhappy with the state of OpenWRT at the moment. I see some
>> trouble in building and releasing. The current code base has some bugs.
>> I'ven't seen a fix for "mad cow" yet. For me it is hard to estimate
>> whether OpenWRT is able to include, build and release critical patches
>> over the next months in a timely fashion.
> My impression is that CVE-2016-5195 (also known by it's marketing name
> for low-intellect individuals as "dirty COW") is mostly a non-issue on
> OpenWRT/LEDE. This is why you have not heard much about a response for it.
> The exploit is a privilege escalation. However, almost everything on a
> standard LEDE/OpenWRT system already runs as root anyway, since these
> kinds of systems are not designed for multi-user scenarios.
Uhm, I think you are wrong.
In OpenWRT/LEDE applications that don't need root access are run as
unprivileged users for security reasons, so yes, a privilege escalation
is BAD also for OpenWRT/LEDE.
root at lede:/# cat /etc/passwd
And for LEDE the answer to the vulnerability was "finish the porting to
latest kernel 4.4 for all devices ASAP as that kernel is a LTS kernel so
it received the fix upstream, and apply patches to other kernels", see
these mailing list posts:
So current LEDE is already protected, I don't know if this stuff also
ends in OpenWRT.
More information about the Lede-dev