avoid setting up anonymous pages into file mapping in kernel CVE-2015-3288 [released]
Tracked by Jolla
(In release)
asked 2017-02-10 00:02:57 +0300
This post is a wiki. Anyone with karma >75 is welcome to improve it.
This vulnerability (CVSS v3 Base Score: 7.8 High) has been fixed in kernel 3.4.111 on March 21st '16 but Jolla1-2.1.0 is still on kernel 3.4.108.20161101 and needs that patch to prevent local apps (from e.g. aptoide or apk_s/rpm_s from the web) from gaining root privileges.
edit 20170327: still not fixed in 2.1.0.10 ea
edit 20170403: still not fixed in 2.1.0.11 ea
I thought we were on 3.10
kat6 ( 2017-02-10 06:48:00 +0300 )edit@kat6 no ,
lpr ( 2017-02-10 10:04:37 +0300 )editIs there active exploit i can use?
coderus ( 2017-02-10 10:21:01 +0300 )edit@coderus The bad guys will have it, for sure ;) since this entered mitre on 2015/04/10 and was fixed Jul 6, 2015 with kernel 4.1.4 but appeared on web.nvd.nist.gov 10/16/2016 and Google Jan'17 marked critical... quite enough time.
lpr ( 2017-02-10 13:56:13 +0300 )editTell me please what the point of writing edit 20170327: still not fixed in 2.1.0.10 ea edit 20170403: still not fixed in 2.1.0.11 ea in each your question?
coderus ( 2017-04-03 20:08:17 +0300 )edit