Comment 65 for bug 190587

I can confirm that applying the patch at the bottom of
http://lkml.org/lkml/2008/2/10/118 (thanks, Pavel!), as well as applying the
patch in 2.6.23.15/2.6.24.1, does indeed prevent the published exploit from
working on our system.

Whether or not it closes all attack vectors, it is probably worth pushing out at
least as an interim update since it prevents the published exploit from working
and that published exploit is being actively exploited in the wild.

Note that I believe a new CVE identifier has been assigned for the vulnerability
that 2.6.23.15/2.6.24.1 does not fix: CVE-2008-0600

Also note that, unlike CVE-2008-0009/0010, this is not specific to the
2.6.23/2.6.24 kernels. Older kernels are vulnerable too (including, for example,
2.6.18-53.1.4.el5 -- on that kernel, it is necessary to add
#define PAGE_SIZE getpagesize() to the published exploit, but with that addition
it works to get an instant root shell.)

I am *extremely* thankful this is only a local escalation-of-privilege and not a
remote root. It's bad enough as it is given what seems to be a significant
number of machines out there with hacked-up ssh/sshd binaries that record user
names and passwords, but a remote root being exploited in the wild like this
well before a working patch would be a nightmare!