The Kernel Bug, the Missing Patch and the 6-Years-Later Fix
"It just goes to show that not all distros are alike, and that all code can be expected to contain bugs," asserted Slashdot blogger Barbara Hudson. "The kernel has held up better than Ivory Soap. Like Ivory Soap, the kernel is 'pure enough' for most purposes, most of the time." Bottom line: "This incident hasn't altered my confidence in linux."
08/30/10 5:00 AM PT
So widely acknowledged are the security advantages of Linux that on those rare occasions when a bug is found, it tends to makes quite a splash.
Such, in fact, is just what happened recently when news broke of the Linux kernel bug that -- it turns out -- had been around since 2004.
A fix was actually supplied back then by SUSE maintainer Andrea Arcangeli, apparently; for some unknown reason, however, it never got incorporated into the Linux kernel, according to a report on The H.
That, fortunately, has now been corrected with the release of the 220.127.116.11 kernel, as announced by kernel developer Greg Kroah-Hartman not long ago.
Nevertheless, even the most ardent Linux supporter can only wonder what happened to delay the fix this long. Slashdot bloggers, not surprisingly, were no exception.
'Something Has Gone Wrong'
"So, only 6 years late then?" wrote smash, for example. "SuSE just went way up in my book."
Similarly, "something has gone wrong if it took 6 years for this to happen," opined JohnFluxx.
Indeed, "I hope they spend a little time reviewing how this got missed, to make sure it's not a flaw in their process that could allow it to happen again," wrote Americano.
"Yes, these things are less likely to happen with Linux," but "that doesn't mean Linux kernel processes are above reproach, and can't be made more responsive & accountable in cases like this where somebody obviously dropped the ball on merging a patch somewhere," Americano added.
"It would be good to know where the breakdown in communication happened," agreed petermgreen.
'5 Years Old and No Exploit'
"My guess would be an oversight at kernel.org," offered jittles. "I submitted a kernel patch to the USB HID driver back in the days of 2.6.10 and 2.6.13. The driver was incorrectly suspending its state while it held onto a spinlock. The result was 100% CPU utilization when you called certain ioctls made available by the driver.
"The patch didn't make it in until 2.6.17 if I recall correctly, and not until someone with a name submitted a patch for it," jittles added.
Of course, "5 years old and no exploit," Anonymous Coward pointed out.
That may well be true -- and a testament to the power of Linux, no less. But should Linux fans be concerned about the apparent breakdown in the process? Linux Girl took to the streets of the blogosphere to find out.
'A Bit Sad That It Took This Long'
"In essence this bug requires a bug somewhere else to be exploitable, so it needs a bug elsewhere and seems to primarily affect desktop systems," Montreal consultant and Slashdot blogger Gerhard Mack told Linux Girl.
"Still a bit sad that it took this long to be patched, though," Mack added.
Indeed, "the bug attacked Xorg, so most headless servers and the Internet were never under threat," noted Barbara Hudson, a blogger on Slashdot who goes by "Tom" on the site. "Additionally, for me it was never an issue because I use openSuse, which has had the fix since 11.1, so I can safely ignore it."
'Better Than Ivory Soap'
As for why the fix took so long to get into the main line kernel, "for that, you'd have to ask the maintainers," Hudson noted.
"It just goes to show that not all distros are alike, and that all code can be expected to contain bugs," Hudson asserted. "The kernel has held up better than Ivory Soap. Like Ivory Soap, the kernel is 'pure enough' for most purposes, most of the time."
Bottom line: "This incident hasn't altered my confidence in linux," Hudson added.
"The traditional answer is that 'nobody' knows how many flaws like this exist in the Windows NT codebase, except perhaps for anyone who has exploited them," Hyperlogos blogger Martin Espinoza pointed out. "Thus, you really can never know the full risk of any particular Windows system, either."
'All Software Has Bugs'
Indeed, "ALL software has bugs," Slashdot blogger hairyfeet told Linux Girl. "The whole 'more eyes makes bugs shallow' is nothing but a bad joke."
After all, "how many of those eyes have the prerequisite knowledge required to picture all the complex actions that are required of any major system file?" hairyfeet asked. "As we have seen with more and more Mac bugs, as any system gains in popularity, more attacks will be launched.
"All one can do is keep their eyes open for the latest attacks and use due diligence, such as turning off all unneeded services," hairyfeet concluded.
If nothing else, "it's good to be reminded we are vulnerable," blogger Robert Pogson opined. "Thank goodness GNU/Linux is not like that other OS, where vulnerabilities are tolerated for years after being made public because they are 'features.'"