[LEDE-DEV] Stability & release plans -- CVE-2016-5195

Alberto Bursi alberto.bursi at outlook.it
Sat Oct 29 03:10:18 PDT 2016

On 10/29/2016 03:18 AM, J Mo wrote:
> On 10/28/2016 11:39 AM, yanosz wrote:
>> 1. I'm unhappy with the state of OpenWRT at the moment. I see some
>> trouble in building and releasing. The current code base has some bugs.
>> I'ven't seen a fix for "mad cow" yet. For me it is hard to estimate
>> whether OpenWRT is able to include, build and release critical patches
>> over the next months in a timely fashion.
> My impression is that CVE-2016-5195 (also known by it's marketing name
> for low-intellect individuals as "dirty COW") is mostly a non-issue on
> OpenWRT/LEDE. This is why you have not heard much about a response for it.
> The exploit is a privilege escalation. However, almost everything on a
> standard LEDE/OpenWRT system already runs as root anyway, since these
> kinds of systems are not designed for multi-user scenarios.

Uhm, I think you are wrong.
In OpenWRT/LEDE applications that don't need root access are run as 
unprivileged users for security reasons, so yes, a privilege escalation 
is BAD also for OpenWRT/LEDE.

root at lede:/# cat /etc/passwd

And for LEDE the answer to the vulnerability was "finish the porting to 
latest kernel 4.4 for all devices ASAP as that kernel is a LTS kernel so 
it received the fix upstream, and apply patches to other kernels", see 
these mailing list posts:

So current LEDE is already protected, I don't know if this stuff also 
ends in OpenWRT.


More information about the Lede-dev mailing list