Rachel Kroll has clarified the Atop alarm: Seems it was only a bizarre little bug, and it is most likely already been fastened.
The veteran sysadmin, trade observer, and commentator, who blogs as rachelbythebay, posted an replace concerning the odd conduct within the atop command, which she warned about on Wednesday.
Atop is a system and process-level useful resource monitoring software primarily designed for Linux. It’s included within the bundle repositories of most main Linux distributions, though it isn’t usually put in by default.
Kroll’s follow-up publish, titled Problems with the heap, opens with:
The publish goes on to clarify the unusual conduct Kroll noticed within the atop command, which she described as suspicious – likening it to a youngsters’s playground constructed out of dangerously sharp supplies. She additionally defined on to The Register:
In abstract, there was a bug in atop that allowed unrelated packages to trigger the atop command to fail, and to crash in multiple approach. This kind of conduct shouldn’t happen and usually alerts a deeper drawback. This type of surprising conduct is the stuff of which safety exploits are made. That does not essentially imply this was an precise helpful exploitable flaw – there isn’t any proof of 1, up to now – but it surely was a bizarre little bug, and that is a foul factor.
Alongside the dialogue, the maintainer of atop recognized a problem associated to reminiscence mapping and addressed it by reintroducing a examine across the munmap() name yesterday. This examine had beforehand been removed during a cleanup commit that additionally eradicated different safeguards deemed redundant. These removals are actually beneath additional scrutiny.
It’s nearly for sure that there’s additionally now a name to rewrite atop in Rust. It is facetious, however the deeper level is actual: The flexibleness of the C programming language permits conduct like this, and discovering a safer approach to do system programming is the explanation that Rust exists in any respect.
Many commentators are saying {that a} extra correct approach to report this kind of doable bug is to formally file a present vulnerability publicity. In that case, excellent news: there is one.
Our sympathies are with Kroll on this. She noticed some unusual conduct, and missing the time to completely examine what was taking place, isolate it, and undergo the formal technique of submitting a fault report, she made a small publish on her private weblog saying that one thing may be incorrect. Because it occurs, her private weblog is widely-read, and she or he’s a revered trade commentator, so the end result was quite a lot of protection – and concern. May she have dealt with it in a different way? Presumably. Was it higher to focus on than do nothing in any respect? Positively sure, in our humble opinion.
As it’s, she has flagged one thing that it appears many individuals had not realized: That atop is not only one other high-like-command, like htop and btop++ and the rest, a few of which come preinstalled. Not like different “tops” atop has a background element, and even when nothing else is incorrect, that generates log recordsdata. Atop, for readability, is not inherently dangerous, however in case you do not want it, it most likely shouldn’t be one thing that it is best to go away turned on simply in case. ®
Bootnote
Credit score for the sumptuous sobriquet of OverDAtop goes to Reg commenter PhilS. How can the world take a doable vulnerability severely until it has a catchy nickname? Now all it wants is a brand and an internet site…
Source link
