Toast Posted May 10, 2016 Posted May 10, 2016 http://www.theregister.co.uk/2016/05/09/allwinners_allloser_custom_kernel_has_a_nasty_root_backdoor/ so congrats 2
tkaiser Posted May 10, 2016 Posted May 10, 2016 I've neither found this nor fixed the code -- I just sat in a beergarden watching others do the work, wrote a summary later and also informed affected vendors where possible (LinkSprite and CubieTech still ignoring the issue and SinoVoip as usual providing a fix in the most complicated way so 99,9% of their users are still affected by exploits targeting this vulnerability, same applies most probably to 100% of Xunlong/loboris OS image users). So kudos to the people who discovered this and fixed it! We should take this as a reminder why 'legacy' kernels should be avoided where possible. You never know how many of these issues are present there since vendor provided kernels are made without code/peer review by contractors/employees paid by SoC vendors that do not care about security at all. Expect the worst. Always! And that's why the ability to use mainline kernel is that important. And why it's important to use a distro like Armbian that is actively developed. I would suspect that most if not all OS images for Orange Pis that are still available on orangepi.org download section will never be upgraded and that the users there not even know what's going on. 3
Recommended Posts